Copyright protection system

ABSTRACT

In the present invention, apparatuses are classified into a plurality of categories, and based on a media key and device key data held by apparatuses belonging to the respective categories, revocation data intended for revoking the device key held by a specific apparatus of the respective categories is generated for the respective categories, and recorded on a recording medium.

TECHNICAL FIELD

The present invention relates to a system in which a content, which is adigitalized literary work such as a movie or a musical piece, isrecorded onto, and reproduced from, a large-capacity recording mediumsuch as an optical disc, and particularly to a copyright protectionsystem which prevents a content from being used illicitly, withoutpermission from the copyright owner.

BACKGROUND ART

In recent years, businesses which market contents, which are digitalizedliterary works such as movies and musical pieces, by storing suchcontents in optical discs, for example, are being carried outincreasingly, following the increased capacity of recording media.

As there is a possibility that contents stored in a recording mediumwill be illicitly copied, some kind of protection becomes necessary.

In general, in order to protect the copyrights of contents, morespecifically, to prevent illicit usage such as illicit reproduction andillicit copying of a content, encryption technology is being utilized.

To be more specific, a content is encrypted using a certain encryptionkey, recorded on a recording medium such as an optical disc, anddistributed. At the same time, only a terminal which holds a decryptionkey corresponding to such encryption key can decrypt, using thedecryption key, data which is read out from the recording medium, andcarry out the content's reproduction, and so on.

Moreover, as methods for encrypting a content and recording theencrypted content in a recording medium, there exists (a) a method forencrypting the content itself, using an encryption key which correspondsto a decryption key held by a terminal, and recording the encryptedcontent, and (b) a method in which, in addition to encrypting thecontent using a certain key and recording the encrypted content, adecryption key corresponding to such key is encrypted using anencryption key corresponding to a decryption key held by the terminal,and the encrypted key is recorded.

At this time, strict management is required so that the decryption keyheld by the terminal is not revealed to the outside. However, there is adanger that certain keys may be exposed to the outside through acryptanalysis of the inside of the terminal by an unauthorized person.Once certain keys are exposed to an unauthorized person, it isconceivable that contents can be circulated through the Internet bycreating a reproduction apparatus or software for illicitly usingcontents. In such a case, it is assumed that a copyright owner wouldwant that a key which has been exposed once, would not be able to handlecontents to be provided subsequently. Technology for realizing this isreferred to as key revocation technology, and a system which realizeskey revocation is disclosed in patent reference 1 (Japanese Laid-OpenPatent Application 2002-281013 Publication).

On the other hand, as apparatuses which reproduce the encrypted contentrecorded on the recording medium, there exists (a) a so-called householdplayer in which a function for reading-out the encrypted content fromthe recording medium, and a function for decrypting the encryptedcontent that was read out, are integrated, and (b) a reproductionapparatus which reads-out the content from the recording medium using anoptical disk drive connected to or built into a personal computer, thendecrypts the read-out encrypted content using an application programoperating on the host of a personal computer, and reproduces thedecrypted content. Non-patent reference 1 (Content Protection forPrerecorded Media DVD Book, 4C Entity, LLC) discloses copyrightprotection systems corresponding to these two types of reproductionapparatuses.

However, as revocation data, which is common for all types of thesubject reproduction apparatuses, is recorded onto the recording mediumin such conventional copyright protection systems as those mentionedabove, each reproduction apparatus needs to be provided with a memorywithin the apparatus, for storing, at least temporarily, the entirety ofsuch revocation data read out from the recording media.

Furthermore, generally, in a household player such as a DVD player,changing the process algorithm and key length built into the apparatusis difficult, taking time and effort.

On the other hand, compared to implementation using hardware, when adecryption process and key are implemented as an application program onthe personal computer, through software, updating and additions to theinternal encryption algorithm and key is easy, but sturdy implementationof the encryption algorithm and key is difficult. However, in theconventional copyright protection system in which the common revocationdata is recorded on the recording medium, even when the applicationprogram operating on the host of the personal computer is illicitlycryptanalyzed, and the algorithm and a number of keys are exposed,changing the encryption/decryption algorithm and key lengths isvirtually impossible. This means that the revocation function will notbe able to operate properly, leading to the spread of the illicit use ofthe content using an illicit device. Furthermore, once the key oralgorithm of the application used in a personal computer is exposed, itis possible to have a case where the revocation functions in alldevices, including consumer devices, will stop operating properly.

In order to solve the aforementioned problem, the present inventionprovides a copyright protection system which (a) enables the size of amemory provided inside the reproduction apparatus to be reduced, and (b)enables the revocation function of the entire system to be maintained,even when the application program operating on the host of the personalcomputer is cryptanalyzed and the algorithm and a number of keys areexposed, by changing the encryption/decryption algorithm and keylengths.

DISCLOSURE OF INVENTION

The present invention is a copyright protection system including: arecording apparatus operable to encrypt a content and to record theencrypted content; a recording medium on which the encrypted content isrecorded; and reproduction apparatuses, each of which is operable toread out and decrypt the encrypted content recorded on said recordingmedium, wherein said reproduction apparatuses are classified intoN-categories, N being a natural number greater than one, said recordingapparatus is operable (a) to generate, for the respective N-categoriesand based on a media key and device key data, revocation data intendedfor revoking a device key, (b) to generate the encrypted content whichis the content encrypted based on the media key, and (c) to record atleast the N-pieces of revocation data and the encrypted content ontosaid recording medium, the device key data being held by saidreproduction apparatuses of the respective N-categories, and the devicekey being held by a specific reproduction apparatus of the respectivecategories, and said reproduction apparatuses are each operable (a) toread out, from said recording medium, revocation data, among theN-pieces of revocation data, which is for the category to which saidreproduction apparatus belongs, and the encrypted content, and (b) todecrypt the encrypted content based on the read-out revocation data.

Furthermore, in the copyright protection system of the presentinvention, each of the N-pieces of revocation data is encrypted mediakey data which is the media key encrypted using the device key data heldby said reproduction apparatuses of a corresponding category, and saidreproduction apparatuses of the respective categories are each operable(a) to read out, from said recording medium, the corresponding encryptedmedia key data and the encrypted content, (b) to obtain the media key bydecrypting the encrypted media key data using the held device key, and(c) to decrypt the encrypted content based on the obtained media key.

Furthermore, in the copyright protection system of the presentinvention, said recording apparatus is operable to generate anencryption key based on the media key, and to encrypt the content basedon the encryption key, and said reproduction apparatuses of therespective categories are each operable to generate a decryption keybased on the obtained media key, and to decrypt the encrypted contentbased on the generated decryption key.

Furthermore, in the copyright protection system of the presentinvention, said recording apparatus is operable to encrypt the contentusing a content key, to generate an encrypted content key by encryptingthe content key using the media key, and to record the generatedencrypted content key onto said recording medium, and said reproductionapparatuses of the respective categories are each operable to read outthe encrypted content key from said recording medium, to obtain thecontent key by decrypting the encrypted content key using the media key,and to decrypt the encrypted content using the obtained content key.

Furthermore, in the copyright protection system of the presentinvention, each of the N-pieces of revocation data is encrypted mediakey data which is a media key for a corresponding category, encryptedusing the device key data held by said reproduction apparatuses of thecorresponding category, said recording apparatus is operable to encryptthe content using a content key, to generate N-pieces of encryptedcontent keys by encrypting the content key using N-pieces of media keys,and to record, onto said recording medium, at least the N-pieces ofencrypted media key data, the N-pieces of encrypted content keys, andthe encrypted content, and said reproduction apparatuses of therespective categories are each operable (a) to read out, from saidrecording medium, the encrypted media key data for the correspondingcategory, the encrypted content key for the corresponding category, andthe encrypted content, (b) to obtain the media key for the correspondingcategory by decrypting the encrypted media key data using the helddevice key, (c) to obtain the content key by decrypting the encryptedcontent key for the corresponding category using the obtained media keyfor the corresponding category, and (d) to decrypt the encrypted contentusing the obtained content key.

Furthermore, in the copyright protection system of the presentinvention, said recording apparatuses are made up of: secondreproduction apparatuses belonging to a second category, each of whichis operable to read out and decrypt the encrypted content recorded onthe recording medium; and first reproduction apparatuses, each of whichincludes: a read-out apparatus of the second category operable to readout and perform a part of a decryption process on the encrypted contentrecorded on the recording medium; and a decryption apparatus of a firstcategory, connected to said read-out apparatus of the second category,operable to perform a part of the decryption process on the encryptedcontent, wherein said recording apparatus is operable (a) to generate,based on a media key and on device key data held by said decryptionapparatuses of the first category, first revocation data intended forrevoking a device key held by a specific decryption apparatus of thefirst category, (b) to generate, based on a media key and on device keydata held by said apparatuses of the second category, second revocationdata intended for revoking a device key held by a specific apparatus ofthe second category, (c) to generate an encrypted content which is thecontent encrypted based on the media key, and (d) to record at least thefirst revocation data, the second revocation data, and the encryptedcontent onto said recording medium, said second reproduction apparatusesare each operable to read out the second revocation data and theencrypted content from said recording medium, and to decrypt theencrypted content based on the second revocation data, and in each ofsaid first reproduction apparatuses: said read-out apparatus of thesecond category is operable (a) to read out, from said recording medium,the first revocation data, the second revocation data, and the encryptedcontent, and (to) supply intermediate data and the first revocation datato said decryption apparatus of the first category; and said decryptionapparatus of the first category is operable to obtain the content byperforming the decryption process, based on the first revocation data,on the intermediate data supplied by said read-out apparatus of thesecond category, the intermediate data being the encrypted data on whichthe part of the decryption process has been performed based on thesecond revocation data.

Furthermore, the present invention is a recording apparatus whichencrypts a content and records the encrypted content, wherein saidrecording apparatus is operable (a) to generate, for respectiveN-categories and based on a media key and device key data, revocationdata intended for revoking a device key, (b) to generate an encryptedcontent which is the content encrypted based on the media key, and (c)to record at least the N-pieces of revocation data and the encryptedcontent onto a recording medium, the device key data being held byreproduction apparatuses classified into N-categories and belonging tothe respective categories, the device key being held by a specificreproduction apparatus of the respective categories, and N being anatural number greater than one.

Furthermore, in the abovementioned recording apparatus of the presentinvention, each of the N-pieces of revocation data is encrypted mediakey data which is the media key encrypted using the device key data heldby the reproduction apparatuses of a corresponding category.

Furthermore, in the abovementioned recording apparatus, said recordingapparatus generates an encryption key based on the media key, and toencrypt the content based on the encryption key.

Furthermore, in the abovementioned recording apparatus, said recordingapparatus encrypts the content using a content key, generates anencrypted content key which is the content key encrypted using the mediakey, and records the generated encrypted key onto the recording medium.

Furthermore, in the abovementioned recording apparatus of the presentinvention, each of the N-pieces of revocation data is encrypted mediakey data which is a media key for a corresponding category, encryptedusing the device key data held by the reproduction apparatuses of thecorresponding category, and said recording apparatus is operable (a) toencrypt the content using a content key, (b) to generate N-pieces ofencrypted content keys by encrypting the content key using N-pieces ofmedia keys, and (c) to record, onto the recording medium, at least theN-pieces of encrypted media key data, the N-pieces of encrypted contentkeys, and the encrypted content.

Furthermore, in the abovementioned recording apparatus, said recordingapparatus (a) generates, based on a media key and on device key dataheld by decryption apparatuses of the first category, first revocationdata intended for revoking a device key held by a specific decryptionapparatus of the first category, (b) generates, based on a media key andon device key data held by apparatuses of the second category, secondrevocation data intended for revoking a device key held by a specificapparatus of the second category, and (c) generates an encrypted contentwhich is the content encrypted based on the media key, and to record atleast the first revocation data, the second revocation data, and theencrypted content onto the recording medium.

Furthermore, the present invention is a recording medium on which acontent is recorded, wherein on said recording medium, at leastrevocation data and an encrypted content are recorded, the revocationdata being generated based on a media key and device key data andintended for revoking a device key, the device key data being held byreproduction apparatuses classified into N-categories and belonging tothe respective categories, the device key being held by a specificreproduction apparatus of the respective categories, the encryptedcontent being generated by encrypting the content based on the mediakey, and N being a natural number greater than one.

Furthermore, in the abovementioned recording medium, each of theN-pieces of revocation data is encrypted media key data which is themedia key encrypted using the device key data held by said reproductionapparatuses of a corresponding category.

Furthermore, in the abovementioned recording medium, the encryptedcontent is generated by encrypting the content, based on an encryptionkey generated based on the media key.

Furthermore, in the abovementioned recording medium, the encryptedcontent is generated by encrypting the content using a content key, andon said recording medium, an encrypted content key is recorded, theencrypted content key being generated by encrypting the content keyusing the media key.

Furthermore, in the abovementioned recording medium, each of theN-pieces of revocation data is encrypted media key data which is a mediakey for a corresponding category, encrypted using the device key dataheld by the reproduction apparatuses of the corresponding category, theencrypted content is generated by encrypting the content using a contentkey, and on said recording medium, N-pieces of encrypted content keysgenerated by encrypting the content key using the N-pieces of media keysare recorded.

Furthermore, on said recording medium, at least first revocation data,second revocation data, and the encrypted content are recorded, thefirst revocation data being generated based on the media key and ondevice key data held by decryption apparatuses of a first category andintended for revoking a device key held by a specific decryptionapparatus of the first category, the second revocation data beinggenerated based on the media key and on device key data held byapparatuses of a second category and intended for revoking a device keyheld by a specific apparatus of the second category, and the encryptedcontent being the content on which an encryption process has beenperformed based on the media key.

Furthermore, the present invention is a reproduction apparatus whichreproduces an encrypted content recorded on a recording medium, whereinsaid reproduction apparatuses are classified into N-categories, N beinga natural number greater than one, on the recording medium, at leastrevocation data and an encrypted content are recorded, the revocationdata being generated based on a media key and device key data andintended for revoking a device key, the device key data being held bysaid reproduction apparatuses of the respective N-categories, the devicekey being held by a specific reproduction apparatus of the respectivecategories, and the encrypted content being generated by encrypting thecontent based on the media key, and said reproduction apparatus isoperable (a) to read out, from the recording medium, revocation data,among the N-pieces of revocation data, which is for the category towhich said reproduction apparatus belongs, and the encrypted content,and (b) to decrypt the encrypted content based on the read-outrevocation data.

Furthermore, in the reproduction apparatus of the present invention,each of the N-pieces of revocation data is encrypted media key datawhich is the media key encrypted using the device key data held by saidreproduction apparatuses of a corresponding category, and saidreproduction apparatuses are operable (a) to read out, from therecording medium, the corresponding encrypted media key data and theencrypted content, (b) to obtain the media key by decrypting theencrypted media key data using the held device key, and (c) to decryptthe encrypted content based on the obtained media key.

Furthermore, in the reproduction apparatus of the present invention, theencrypted content is generated by encrypting the content, based on anencryption key generated based on the media key, and said reproductionapparatus is operable to generate a decryption key based on the obtainedmedia key, and to decrypt the encrypted content based on the generateddecryption key.

Furthermore, in the reproduction apparatus of the present invention, theencrypted content is generated by encrypting the content using a contentkey, on the recording medium, an encrypted content key generated byencrypting the content key using the media key is recorded, and saidreproduction apparatus is operable (a) to read out the encrypted contentkey from the recording medium, (b) to obtain the content key bydecrypting the encrypted content key using the media key, and (c) todecrypt the encrypted content using the obtained content key.

Furthermore, in the reproduction apparatus of the present invention,each of the N-pieces of revocation data is encrypted media key datawhich is a media key for a corresponding category, encrypted using thedevice key data held by the reproduction apparatuses of thecorresponding category, the encrypted content is generated by encryptingthe content using a content key, on the recording medium, N-pieces ofencrypted content keys generated by encrypting the content key using theN-pieces of media keys are recorded, and said reproduction apparatus isoperable (a) to read out, from the recording medium, the encrypted mediakey data for the corresponding category, the encrypted content key forthe corresponding category, and the encrypted content, (b) to obtain themedia key for the corresponding category by decrypting the encryptedmedia key data using the held device key, (c) to obtain the content keyby decrypting the encrypted content key using the obtained media key forthe corresponding category, and (d) to decrypt the encrypted contentusing the obtained content key.

Furthermore, in the reproduction apparatus of the present invention, onthe recording medium, at least first revocation data, second revocationdata, and the encrypted content are recorded, the first revocation databeing generated based on the media key and on device key data held bydecryption apparatuses of a first category and intended for revoking adevice key held by a specific decryption apparatus of the firstcategory, the second revocation data being generated based on the mediakey and on device key data held by apparatuses of a second category andintended for revoking a device key held by a specific apparatus of thesecond category, and the encrypted content being the content on which anencryption process has been performed based on the media key, and saidreproduction apparatus belongs to the second category and is operable toread out, from the recording medium, the second revocation data and theencrypted content, and to decrypt the encrypted content based on thesecond revocation data.

Furthermore, the present invention is a read-out apparatus included in areproduction apparatus which reproduces an encrypted content recorded ona recording medium, wherein on the recording medium, at least firstrevocation data, second revocation data, and the encrypted content arerecorded, the first revocation data being generated based on a media keyand on device key data held by decryption apparatuses of a firstcategory and intended for revoking a device key held by a specificdecryption apparatus of the first category, the second revocation databeing generated based on the media key and on device key data held byapparatuses of a second category and intended for revoking a device keyheld by a specific apparatus of the second category, and the encryptedcontent being the content on which an encryption process has beenperformed based on the media key, and said read-out apparatus belongs tothe second category and is operable (a) to read out, from the recordingmedium, the first revocation data, the second revocation data, and theencrypted content, (b) to generate intermediate data which is theencrypted data on which a part of a decryption process has beenperformed, based on the second revocation data, and (c) to output thegenerated intermediate data and the first revocation data.

Furthermore, the present invention is a decryption apparatus included ina reproduction apparatus which reproduces an encrypted content recordedon a recording medium, wherein on the recording medium, at least firstrevocation data, second revocation data, and the encrypted content arerecorded, the first revocation data being generated based on a media keyand on device key data held by decryption apparatuses of a firstcategory and intended for revoking a device key held by a specificdecryption apparatus of the first category, the second revocation databeing generated based on the media key and on device key data held byapparatuses of a second category and intended for revoking a device keyheld by a specific apparatus of the second category, and the encryptedcontent being the content on which an encryption process has beenperformed based on the media key, read-out apparatuses of the secondcategory are each operable (a) to read out, from the recording medium,the first revocation data, the second revocation data, and the encryptedcontent, (b) to generate intermediate data which is the encrypted dataon which a part of a decryption process has been performed, based on thesecond revocation data, and (c) to output the generated intermediatedata and the first revocation data, and said decryption apparatusbelongs to the first category and is operable to obtain the content byperforming a decryption process, based on the first revocation data, onthe intermediate data supplied by said read-out apparatus of the secondcategory.

Furthermore, the present invention is a reproduction apparatus whichreproduces an encrypted content recorded on a recording medium, saidreproduction apparatus including: said read-out apparatus according toclaim 25; and said decryption apparatus according to claim 26.

Furthermore, the present invention is a copyright protection systemincluding: a key generation apparatus operable to generate and recordrevocation data necessary for encrypting and decrypting a content,recording apparatuses, each of which is operable to encrypt a contentand to record the encrypted content; a recording medium on which theencrypted content and the revocation data are recorded; and reproductionapparatuses, each of which is operable to read out and decrypt theencrypted content recorded on said recording medium, wherein saidrecording apparatuses and said reproduction apparatuses are classifiedinto N-categories, N being a natural number greater than one, said keygeneration apparatus is operable (a) to generate, for the respectiveN-categories and based on a media key and device key data, revocationdata intended for revoking a device key, and (b) to record the N-piecesof revocation data onto said recording medium, the device key data beingheld by one of said recording apparatuses and said reproductionapparatuses belonging to the respective N-categories, the device keybeing held by one of a specific recording apparatus and a specificreproduction apparatus of the respective categories, said recordingapparatuses are each operable (a) to read out, from said recordingmedium, revocation data among the N-pieces of revocation data, which isfor the category to which said recording apparatus belongs, (b) togenerate the encrypted content by encrypting the content based on theread-out revocation data, and (c) to record the generated encryptedcontent on said recording medium, and said reproduction apparatuses areeach operable (a) to read out, from said recording medium, revocationdata among the N-pieces of revocation data, which is for the category towhich said reproduction apparatus belongs, and the encrypted content,and (b) to decrypt the encrypted content based on the read-outrevocation data.

Furthermore, the present invention is a key generation apparatus whichgenerates, for respective N-categories and based on a media key anddevice key data, revocation data intended for revoking a device key, andwhich records the generated N-pieces of revocation data onto a recordingmedium, the device key data being held by one of the recordingapparatuses and the reproduction apparatuses classified intoN-categories and belonging to the respective categories, the device keybeing held by one of a specific recording apparatus and a specificreproduction apparatus of the respective categories, and N being anatural number greater than one.

Furthermore, the present invention is a recording apparatus whichencrypts a content and records the encrypted content, wherein saidrecording apparatus is operable (a) to read out, from a recording mediumon which N-pieces of revocation data are recorded, revocation data for acategory to which said recording apparatus belongs, (b) to generate anencrypted content by encrypting the content based on the read-outrevocation data, and (c) to record the generated encrypted content ontothe recording medium, the revocation data being generated based on amedia key and device key data and intended for revoking a device key,the device key data being held by one of recording apparatuses andreproduction apparatuses which are classified into N-categories andbelonging to the respective categories, the device key being held by oneof a specific recording apparatus and a specific reproduction apparatusof the respective categories, and N being a natural number greater thanone.

Furthermore, the present invention is a recording method for use in arecording apparatus which encrypts a content and records the encryptedcontent, said method including: a step of generating, for respectiveN-categories and based on a media key and device key data, revocationdata intended for revoking a device key, the device key data being heldby the reproduction apparatuses classified into the N-categories andbelonging to the respective N-categories, the device key being held by aspecific reproduction apparatus of the respective categories, and Nbeing a natural number greater than one; an encrypted content generationstep of generating the encrypted content by encrypting the content,based on the media key; and a recording step of recording at least theN-pieces of revocation data and the encrypted content onto the recordingmedium.

Furthermore, the present invention is a reproduction method for use in areproduction apparatus which reproduces an encrypted content recorded ona recording medium, wherein the reproduction apparatuses are classifiedinto N-categories, N being a natural number greater than one, on therecording medium, at least revocation data and the encrypted content arerecorded, the revocation data being generated based on a media key anddevice key data and intended for revoking a device key, the device keydata being held by the reproduction apparatuses of the respectiveN-categories, the device key being held by a specific reproductionapparatus of the respective categories, and the encrypted content beinggenerated by encrypting the content based on the media key, and saidreproduction method includes: a read-out step of reading out, from therecording medium: revocation data among the N-pieces of revocation data,for the category to which the reproduction apparatus belongs; and theencrypted content; and a decryption step of decrypting the encryptedcontent based on the revocation data read out in said read-out step.

Furthermore, the present invention is a program for use in a recordingapparatus which encrypts a content and records the encrypted content,said program including: a step of generating, for respectiveN-categories and based on a media key and device key data, revocationdata intended for revoking a device key, the device key data being heldby reproduction apparatuses classified into the N-categories andbelonging to the respective N-categories, the device key being held by aspecific reproduction apparatus of the respective categories, and Nbeing a natural number greater than one; an encrypted content generationstep of generating the encrypted content by encrypting the content,based on the media key; a recording step of recording at least theN-pieces of revocation data and the encrypted content onto the recordingmedium.

Furthermore, the present invention is a program for use in areproduction apparatus which reproduces an encrypted content recorded ona recording medium, wherein the recording apparatuses are classifiedinto N-categories, N being a natural number greater than one, on therecording medium, at least revocation data and the encrypted content arerecorded, the revocation data being generated based on a media key anddevice key data and intended for revoking a device key, the device keydata being held by the reproduction apparatuses of the respectiveN-categories, the device key being held by a specific reproductionapparatus of the respective categories, and the encrypted content beinggenerated by encrypting the content based on the media key, and saidprogram includes: a read-out step of reading out, from the recordingmedium: revocation data among the N-pieces of revocation data, for thecategory to which the reproduction apparatus belongs; and the encryptedcontent; and a decryption step of decrypting the encrypted content basedon the revocation data read out in said read-out step.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a block diagram showing the recording apparatus and therecording medium in the first embodiment of the present invention.

FIG. 2 is a block diagram showing the recording apparatus and the firstcategory reproduction apparatus in the first embodiment of the presentinvention.

FIG. 3 is a block diagram showing the recording apparatus and the secondcategory reproduction apparatus in the first embodiment of the presentinvention.

FIG. 4 is a schematic diagram showing a specific example of data to berecorded on the recording medium in the first embodiment of the presentinvention.

FIG. 5 is a schematic diagram showing specific example 1 of the systemupdate in the first embodiment of the present invention.

FIG. 6 is a schematic diagram showing specific example 2 of the systemupdate in the first embodiment of the present invention.

FIG. 7 is a block diagram showing the key generation apparatus and therecording medium in the second embodiment of the present invention.

FIG. 8 is a block diagram showing the first category recording apparatusand the recording medium in the second embodiment of the presentinvention.

FIG. 9 is a block diagram showing the second category recordingapparatus and the recording medium in the second embodiment of thepresent invention.

FIG. 10 is a block diagram showing the recording medium and the firstcategory reproduction apparatus in the second embodiment of the presentinvention.

FIG. 11 is a block diagram showing the recording medium and the secondcategory reproduction apparatus in the second embodiment of the presentinvention.

FIG. 12 is a schematic diagram showing a specific example of data to berecorded on the recording medium in the second embodiment of the presentinvention.

FIG. 13 is a block diagram showing the recording apparatus and therecording medium in the third embodiment of the present invention.

FIG. 14 is a block diagram showing the recording medium and the firstcategory reproduction apparatus in the third embodiment of the presentinvention.

FIG. 15 is a block diagram showing the recording medium and the secondcategory reproduction apparatus in the third embodiment of the presentinvention.

FIG. 16 is a schematic diagram showing a specific example of data to berecorded on the recording medium in the third embodiment of the presentinvention.

FIG. 17 is a schematic diagram showing specific example 1 of the systemupdate in the third embodiment of the present invention.

FIG. 18 is a schematic diagram showing specific example 2 of the systemupdate in the third embodiment of the present invention.

FIG. 19 is a block diagram showing the recording apparatus and therecording medium in the fourth embodiment of the present invention.

FIG. 20 is a block diagram showing the recording medium and the firstcategory reproduction apparatus in the fourth embodiment of the presentinvention.

FIG. 21 is a block diagram showing the recording medium and the secondcategory reproduction apparatus in the fourth embodiment of the presentinvention.

FIG. 22 is a schematic diagram showing a specific example of data to berecorded on the recording medium in the fourth embodiment of the presentinvention.

FIG. 23 is a schematic diagram showing specific example 1 of the systemupdate in the fourth embodiment of the present invention.

FIG. 24 is a schematic diagram showing specific example 2 of the systemupdate in the fourth embodiment of the present invention.

FIG. 25 is a block diagram showing the recording apparatus and therecording medium in the fifth embodiment of the present invention.

FIG. 26 is a block diagram showing the recording medium and the firstcategory reproduction apparatus in the fifth embodiment of the presentinvention.

FIG. 27 is a block diagram showing the recording medium and the secondcategory reproduction apparatus in the fifth embodiment of the presentinvention.

FIG. 28 is a schematic diagram showing a specific example of data to berecorded on the recording medium in the fifth embodiment of the presentinvention.

FIG. 29 is a schematic diagram showing specific example 1 of the systemupdate in the fifth embodiment of the present invention.

FIG. 30 is a schematic diagram showing specific example 2 of the systemupdate in the fifth embodiment of the present invention.

FIG. 31 is a block diagram showing the recording apparatus and therecording medium in the sixth embodiment of the present invention.

FIG. 32 is a block diagram showing the recording medium and the firstcategory reproduction apparatus in the sixth embodiment of the presentinvention.

FIG. 33 is a block diagram showing the recording medium and the secondcategory reproduction apparatus in the sixth embodiment of the presentinvention.

FIG. 34 is a schematic diagram showing a specific example of data to berecorded on the recording medium in the sixth embodiment of the presentinvention.

FIG. 35 is a schematic diagram showing specific example 1 of the systemupdate in the sixth embodiment of the present invention.

FIG. 36 is a schematic diagram showing specific example 2 of the systemupdate in the sixth embodiment of the present invention.

FIG. 37 is a block diagram showing the recording apparatus and therecording medium in the seventh embodiment of the present invention.

FIG. 38 is a block diagram showing the recording medium and the firstcategory reproduction apparatus in the seventh embodiment of the presentinvention.

FIG. 39 is a block diagram showing the recording medium and the secondcategory reproduction apparatus in the seventh embodiment of the presentinvention.

FIG. 40 is a schematic diagram showing a specific example of data to berecorded on the recording medium in the seventh embodiment of thepresent invention.

FIG. 41 is a schematic diagram showing specific example 1 of the systemupdate in the seventh embodiment of the present invention.

FIG. 42 is a schematic diagram showing specific example 2 of the systemupdate in the seventh embodiment of the present invention.

BEST MODE FOR CARRYING OUT THE INVENTION

Hereinafter, the embodiments of the present invention shall be describedwith reference to the diagrams.

First Embodiment

The first embodiment of the present invention is an application of thepresent invention in a system in which a content is distributed using arecording medium such as a playback-only DVD, and reproduced usingreproduction apparatuses. Note that in the first embodiment, first andsecond categories are provided for the reproduction apparatuses, andrevocation is carried out using different device keys for each category.As such, the first embodiment is characterized by the fact that therevocation systems used for the same recording medium can be classifiedaccording to the category of the reproduction apparatuses, and even inthe case where, for example, one of the revocation systems is overcome,it is possible to maintain the revocation system belonging to the othercategory.

Hereinafter, the first embodiment of the present invention shall bedescribed with reference to the diagrams. FIG. 1 shows a recordingapparatus 100 which encrypts a content and records the encryptedcontent, and a recording medium 120. FIG. 2 shows a first categoryreproduction apparatus 200 which reads-out and decrypts, the encryptedcontent from the recording medium 120. FIG. 3 shows a second categoryreproduction apparatus 300 which reads-out and decrypts, the encryptedcontent from the recording medium 120. Furthermore, FIG. 4 shows aspecific example of various data to be recorded on the recording medium120.

The recording apparatus 100 is an apparatus which records a content ontoeach DVD at the time of production for example, and includes thefollowing: a first device key storage unit 101 which stores a device keyheld confidentially by each reproduction apparatus belonging to thefirst category; a second device key storage unit 102 which stores adevice key held confidentially by each reproduction apparatus belongingto the second category; a first device key selection unit 103 and asecond device key selection unit 104, each of which selects a device keyto be used for the encryption of a media key; a first media keyencryption unit 105 which encrypts a media key inputted from theoutside, using the device key selected by the first device key selectionunit 103; a second media key encryption unit 106 which encrypts themedia key, using the device key selected by the second device keyselection unit 104; a content key encryption unit 107 which encrypts,using the media key, a content key inputted from the outside; and acontent encryption unit 108 which encrypts a content likewise inputtedfrom the outside.

Note that although it is not shown in FIG. 1, the first media keyencryption unit 105 stores information on a reproduction apparatus to berevoked among the reproduction apparatuses in the first category, andthe second media key encryption unit 106 stores information on areproduction apparatus to be revoked among the reproduction apparatusesin the second category. During the generation of the encrypted mediakey, the encrypted media key is generated in such a way that the correctmedia key cannot be decrypted by such reproduction apparatuses to berevoked. In addition, different key data is selected for the media keyeach time a recording medium is manufactured, and different key data isselected for the content key for each content.

The recording medium 120 includes the following: a first encrypted mediakey data recording area 121 for recording first encrypted media key datagenerated by the first media key encryption unit 105; a second encryptedmedia key data recording area 122 for recording second encrypted mediakey data generated by the second media key encryption unit 106; anencrypted content key recording area 123 for recording the encryptedcontent key generated by the content key encryption unit 107; and anencrypted content recording area 124 for recording the encrypted contentgenerated by the content encryption unit 108.

The first category reproduction apparatus 200 includes the following: adevice key storage unit 201 which confidentially holds a device key; amedia key decryption unit 202 which obtains the media key by decrypting,using the device key, the first encrypted media key data which is readout from the recording medium 120; a content key decryption unit 203which obtains the content key by decrypting, using the obtained mediakey, the encrypted content key which is read out from the recordingmedium 120; and a content decryption unit 204 which decrypts, using theobtained content key, the encrypted content which is read out from therecording medium 120. In the present embodiment, a reproductionapparatus which is implemented through software, as in an applicationprogram in a personal computer, is assumed as a reproduction apparatusbelonging to the first category.

The second category reproduction apparatus 300 includes the following: adevice key storage unit 301 which confidentially holds the device key; amedia key decryption unit 302 which obtains the media key by decrypting,using the device key, the second encrypted media key data which is readout from the recording medium 120; a content key decryption unit 303which obtains the content key by decrypting, using the obtained mediakey, the encrypted content key which is read out from the recordingmedium 120; and a content decryption unit 304 which decrypts, using theobtained content key, the encrypted content which is read out from therecording medium 120. In the present embodiment, a reproductionapparatus which is implemented through hardware, as in a commonhousehold player, is assumed as a reproduction apparatus belonging tothe second category.

FIG. 4 shows a specific example of the various data to be recorded onthe recording medium 120 in the case where it is assumed that m-units offirst category reproduction apparatuses and n-units of second categoryreproduction apparatuses hold only one unique device key each, and afirst category reproduction apparatus 2 and a second categoryreproduction apparatus 3 are revoked. In FIG. 4, it is assumed that afirst category reproduction apparatus “i” (i=1 to m) holds a device keyDKAi, a second category reproduction apparatus “j” (j=1 to n) holds adevice key DKBj. Furthermore, Ea (X, Y), Eb (X, Y), Ec (X, Y) and Ed (X,Y) represent functions for encrypting data Y using key data X. Inaddition, the encryption algorithm used can be realized by commonlyknown technology, and the present embodiment makes use of DEScryptography having a key length of 56 bits.

(The First Encrypted Media Key Data Recording Area 121)

A media key (MK) encrypted using device keys (DKA1 to DKAm) held by thefirst category reproduction apparatuses is recorded in the firstencrypted media key data recording area 121. Here, the first categoryreproduction apparatus 2 is revoked, and data “0” which has absolutelyno relation to the media key (MK), is encrypted and recorded in DKA2.This is the result of having the reproduction apparatus 2 inputted tothe first media key encryption unit 105 as the information on therecording apparatus to be revoked within the first category, during thegeneration of the first encrypted media key, and processed so that thecorrect media key cannot be obtained by the reproduction apparatus 2.

(The Second Encrypted Media Key Data Recording Area 122)

The media key (MK) encrypted using device keys (DKB1 to DKBn) held bythe second category reproduction apparatuses is recorded in the secondencrypted media key data recording area 122. Here, the second categoryreproduction apparatus 3 is revoked, and data “0” which is hasabsolutely no relation to the media key (MK), is encrypted and recordedin DKB3. This is the result of having the reproduction apparatus 3inputted to the second media key encryption unit 106 as the informationon the recording apparatus to be revoked within the second category,during the generation of the second encrypted media key, and processedso that the correct media key cannot be obtained by the reproductionapparatus 3.

By generating the first and second media key data in this manner, thereproduction apparatuses, apart from the first category reproductionapparatus 2 and the second category recording apparatus 3, are able todecrypt the correct media key (MK), and the first category reproductionapparatus 2 and the second category recording apparatus 3 can beexcluded from the system.

(The Encrypted Content Key Recording Area 123)

A content key (CK) which is encrypted using the media key (MK) isrecorded in the encrypted content key recording area 123.

(The Encrypted Content Recording Area 124)

A content which is encrypted using the content key (CK) is recorded inthe encrypted content recording area 124.

In the above-configured first embodiment of the present invention, inthe case where, for example, a number of device keys provided to thefirst category recording apparatuses and the algorithm for decryptingthe first encrypted media key data are illicitly exposed over theInternet, and it is judged that the revocation for the first categoryreproduction apparatuses has stopped functioning, the revocation systemfor the first category reproduction apparatuses is updated. Specificexamples are described hereinafter.

(System Update Specific Example 1)

FIG. 5 shows a specific example 1 for various data to be recorded on anew recording medium 120 which is created after it is judged that therevocation for the first category reproduction apparatuses has stoppedfunctioning. The difference with FIG. 4 is that the device keys DKA1 toDKAm used in generating the first encrypted media key data are changedto DKA′1 to DKA′m. Here, each device key among the new device keys(DKA′1 to DKA′m) does not match any of the pre-system update device keys(DKA1 to DKAm). As such, it becomes possible to update the revocationsystem at the time a recording medium 120 is to be manufactured afterthe revocation function has stopped functioning.

On the other hand, the first category reproduction apparatus 200, whichis not revoked, is provided with a new device key which is stored in thedevice key storage unit 201. For example, a first category reproductiondevice m holds a newly provided device key (DKA′m) in the device keystorage unit 201, in addition to a device key (DKAm) that it has beenholding since before. To decrypt the first encrypted media key which isread out from the recording medium, and obtain the media key (MK), thereproduction apparatus m uses the device key DKAm when reproducing therecording medium in FIG. 4, and uses the device key DKA′m whenreproducing the post-revocation system update recording medium in FIG.5. It then uses the obtained media key (MK) to decrypt the encryptedcontent key and obtain the content key (CK), and then uses the obtainedcontent key (CK) to decrypt the encrypted content and reproduce thecontent.

Here, as each device key among the new device keys (DKA′1 to DKA′m) doesnot match any of the pre-system update device keys (DKA1 to DKAm), evenwhen a device key, apart from DKA2, is exposed through an illicitcryptanalysis prior to the system update, the media key (MK) cannot beobtained by using such device key to decrypt the first encrypted mediakey which is read out from the recording medium in FIG. 5, and thecontent cannot be reproduced.

Moreover, as the device keys (DKB1 to DKBn) used in the generation ofthe second encrypted media key data are not changed during theaforementioned system update, no changes have to be made for thereproduction apparatuses belonging to the second category.

(System Update Example 2)

FIG. 6 shows a specific example 2 for various data to be recorded on anew recording medium 120 which is created after it is judged that therevocation for the first category reproduction apparatuses has stoppedfunctioning. The difference with FIG. 4 is that the device keys DKA1 toDKAm used in generating the first encrypted media key data are changedto DKA′1 to DKA′m, and the encryption algorithm is changed from Ea (X,Y) to Ea′ (X, Y). Here, each device key among the new device keys (DKA′1to DKA′m) does not match any of the pre-system update device keys (DKA1to DKAm).

On the other hand, each first category reproduction apparatus 200, whichis not revoked, is provided with a new device key which is stored in thedevice key storage unit 201. Furthermore, a decryption algorithm Da′ (X,Y) for decrypting the first encrypted media key data in FIG. 5 is builtinto the media key decryption unit 202, in addition to a decryptionalgorithm Da (X, Y) for decrypting the first encrypted media key data inFIG. 4 which has been built-in since before. For example, a firstcategory reproduction device m holds a newly provided device key(DKA′m), in addition to a device key (DKAm) that it has been holdingsince before. To decrypt the first encrypted media key which is read outfrom the recording medium, and obtain the media key (MK), thereproduction apparatus m uses the device key DKAm and the encryptionalgorithm Da (X, Y) when reproducing the recording medium in FIG. 4, anduses the device key DKA′m and the encryption algorithm Da′ (X,Y) whenreproducing the post-revocation system update recording medium in FIG.5. It then uses the obtained media key (MK) to decrypt the encryptedcontent key and obtain the content key (CK), and then uses the obtainedcontent key (CK) to decrypt the encrypted content and reproduce thecontent. In the present embodiment, Ea (X, Y) and Da (X, Y) use a DEScryptograph having a key length of 56 bits. In contrast, Ea′ (X, Y) andDa′ (X, Y) use a 112-bit key length cryptograph known as a two-keytriple DES.

Here, as each device key among the new device keys (DKA′1 to DKA′m) doesnot match any of the pre-system update device keys (DKA1 to DKAm), evenwhen a device key, apart from DKA2, is exposed through an illicitcryptanalysis prior to the system update, the media key (MK) cannot beobtained by using such device key to decrypt the first encrypted mediakey which is read out from the recording medium in FIG. 5, and thecontent cannot be reproduced.

Furthermore, as it is possible to increase the encryption strength bychanging the key length of the device key and the encryption algorithm,practices such as the illicit obtainment of a device key through thecryptanalysis of the system can be hindered.

Moreover, as the device keys (DKB1 to DKBn) used in the generation ofthe second encrypted media key data, and the encryption algorithm of thesecond encrypted media key data, are not changed during theaforementioned system update, no changes need to be made for thereproduction apparatuses belonging to the second category.

Note that in both the specific examples 1 and 2 of the system update,information regarding the generations of the system update is recordedon the recording medium. Based on this information, the first categoryreproduction apparatuses decide on which generation of device key oralgorithm to use.

According to the above-configured first embodiment of the presentinvention, there is no need for the first category reproductionapparatus 200 and the second category reproduction apparatus 300 to readthe first or second encrypted media key data which are for revokingrespective reproduction apparatuses of the different categories.Therefore, the memory capacity provided within the apparatus can be madesmaller and processing time can be reduced. Furthermore, the encryptionalgorithm used in generating the first encrypted media key data can bemade different from the encryption algorithm used in generating thesecond encrypted media key data. Therefore, even in the case where therevocation system of the first category reproduction apparatuses fallsinto a situation where it is exposed, the revocation system can bechanged, without affecting the second category reproduction apparatuses,by changing (a) the key length of the device keys provided to the firstcategory reproduction apparatuses and (b) the generation algorithm ofthe first encrypted media key data. This is particularly effective inthe case where, as in the present embodiment, (a) the first categoryrefers to a reproduction apparatus implemented through software forwhich updating and adding of decryption algorithms and keys is easy butsturdy implementation is difficult, and (b) the second category refersto a reproduction apparatus implemented through hardware which is sturdybut updating and adding of decryption algorithms and keys is difficult.Furthermore, for example, a PC which realizes content decryption throughan application is provided as a reproduction apparatus belonging to thefirst category, and a consumer device such as a DVD player whichrealizes content decryption through hardware is provided as areproduction apparatus belonging to the second category.

Moreover, although in FIG. 1 in the present embodiment, a configurationis assumed in which the media key and content key are inputted from asource outside of the recording apparatus 100, the present invention isnot limited to such configuration. For example, it is also possible tohave a configuration in which the recording apparatus 100 includes astorage unit for storing the media key and the content key. Furthermore,it is also possible for to have a configuration in which the recordingapparatus 100 includes a generation unit which generates the media keyand the content key as required.

Furthermore, although in FIG. 1 in the present embodiment, a two-stageconfiguration is assumed in which the content is encrypted using acontent key, and then the content key is encrypted using the media key,the present invention is not limited to such configuration. For example,it is also possible to have a single-stage configuration in which acontent is encrypted directly using a media key. In addition, it is alsopossible to have a configuration in which the stages for encryption arefurther increased through the addition of keys.

Furthermore, as shown in FIG. 1, the recording apparatus in the presentembodiment assumes an integrated configuration for the device keystorage unit and the media key encryption unit for each category, thecontent key encryption unit, the content encryption unit, as well as therecording of respective data onto the recording medium. However, thepresent invention is not limited to such, and it is possible to have aconfiguration in which the recording apparatus is separated. Forexample, it is also possible to have a configuration in which (a) thedevice key storage unit and the media key encryption unit for eachcategory, as well as the content key encryption unit (the sectionenclosed in broken lines in FIG. 1) are built into an apparatus which isprovided in a facility which operates the key management of the entiresystem and the key issuance for the reproduction apparatuses, as theirmanagement and operation require great confidentiality, and (b) thecontent encryption unit and the recording of respective data onto therecording medium is executed by an apparatus provided in a contentmanufacturing facility or a recording medium manufacturing facility.

Furthermore, in the present embodiment, during the generation of thefirst encrypted media key data in the system updating, data is alsoassigned to the revoked reproduction apparatuses at the time of systemupdating, as in Ea (DKA′2, 0) in FIG. 5 and Ea′ (DKA′2, 0) in FIG. 6.However, it is also possible to have a configuration in which data isnot assigned to a revoked recording apparatus. In that case, theposition of the encrypted media key to be used by the reproductionapparatuses which are not revoked is also updated, and by providing newposition information when a new device key is provided, the reproductionapparatuses that are not revoked can use the appropriate data and obtainthe correct media key even if there is a change in the position of theencrypted media key before and after the system update. In such a case,the volume of data that needs to be stored in the first encrypted mediakey data recording area after the system update can be reduced.Alternatively, when the maximum value for the volume is limited, thenumber of new reproduction apparatuses belonging to the first categorycan be increased.

Furthermore, although the present embodiment adopts a method in whichrevocation of a reproduction apparatus is performed using encryptedmedia key data such as that shown in FIG. 4, a different method can beused for the method for revocation. For example, the revocation methodutilizing a tree-structure, disclosed in patent reference 1 can also beused.

Furthermore, although the present embodiment makes use of the DES havinga 56-bit key length as the encryption algorithm, and the two-key tripleDES having a 112-bit key length as the post-system update algorithm, thepresent invention is not limited to such, and can also use otherencryption algorithms such as AES having a 128-bit key length, forexample, which is referred to as a next-generation standard cryptograph.

Second Embodiment

The second embodiment of the present invention is characterized by theapplication of the present invention in a system in which a contentencrypted using a content key is recorded onto a recording medium suchas a rewritable or recordable DVD-RAM and DVD-R, by a recordingapparatus such as a DVD recorder, and the encrypted content isreproduced by a reproduction apparatus after being decrypted using acontent key.

Hereinafter, the second embodiment of the present invention shall bedescribed with reference to the diagrams. FIG. 7 shows a key generationapparatus 700 which generates and records key information, and arecording medium 720. FIG. 8 shows a first category recording apparatus800 which encrypts a content and records the encrypted content onto therecording medium 720. FIG. 9 shows a second category recording apparatus900 which encrypts the content and records the encrypted content ontothe recording medium 720. FIG. 10 shows a first category reproductionapparatus 1000 which reads out the encrypted content from the recordingmedium 720 and decrypts the encrypted content. FIG. 11 shows a secondcategory reproduction apparatus 1100 which reads out the encryptedcontent from the recording medium 720 and decrypts the encryptedcontent. Furthermore, FIG. 12 shows a specific example of various datato be recorded on the recording medium 120.

The key generation apparatus 700 respectively stores device keys heldconfidentially by each apparatus in the first category, into a firstdevice key storage unit 701, and device keys held confidentially by eachapparatus in the second category, into a second device key storage unit702. As the encryption of media keys and content keys is the same as inthe recording apparatus mentioned previously in the first embodiment,description shall be omitted.

The recording medium 720 includes a first encrypted media key datarecording area 721, a second encrypted media key data recording area722, an encrypted content key recording area 723, and an encryptedcontent recording area 724. Here, the first encrypted media key datarecording area 721, the second encrypted media key data recording area722, and the encrypted content key recording area 723, enclosed inbroken lines, are areas that cannot be recorded onto by the firstcategory recording apparatus 800 and the second category recordingapparatus 900. On the other hand, the encrypted content recording areais an area that can be recorded onto by the first category recordingapparatus 800 and the second category recording apparatus 900.

The first category recording apparatus 800 includes the following: adevice key storage unit 801 which stores a device key confidentially; amedia key decryption unit 802 which obtains a media key by decrypting,using the device key, a first encrypted media key data which is read outfrom the recording medium 720; a content key decryption unit 803 whichobtains the content key by decrypting, using the obtained media key, theencrypted content key which is read out from the recording medium; and acontent encryption unit 804 which encrypts, using the obtained contentkey, a content which is inputted from the outside. In the presentembodiment, a reproduction apparatus which is implemented throughsoftware, as in an application program in a personal computer, isassumed as a reproduction apparatus belonging to the first category.

The second category recording apparatus 900 includes the following: adevice key storage unit 901 which stores a device key confidentially; amedia key decryption unit 902 which obtains a media key by decrypting,using the device key, the second encrypted media key data which is readout from the recording medium 720; a content key decryption unit 903which obtains the content key by decrypting, using the obtained mediakey, the encrypted content key which is read out from the recordingmedium; and a content encryption unit 904 which encrypts, using theobtained content key, a content which is inputted from the outside. Inthe present embodiment, a reproduction apparatus which is implementedthrough hardware, as in a common household recorder, is assumed as areproduction apparatus belonging to the second category.

The first category reproduction apparatus 1000 and the second categoryreproduction apparatus 1100 respectively have the same structure as thefirst category reproduction unit 200 and the second categoryreproduction unit 300 in the aforementioned first embodiment of thepresent invention. The same numbering is given to the identicalcomponent elements and their description shall be omitted.

FIG. 12 shows a specific example of various data to be recorded onto therecording medium 720 in the case where it is assumed that m-units offirst category apparatuses and n-units of second category apparatuseshold only one unique device key each, and a first category apparatus 2and a second category apparatus 3 are revoked. In FIG. 12, it is assumedthat a first category apparatus “i” (i=1 to m) holds a device key DKAi,a second category apparatus “j” (j=1 to n) holds a device key DKBj. Notethat as the data recorded in the first encrypted media key datarecording area 721, the second encrypted media key data recording area722, the encrypted content key recording area 723, and the encryptedcontent recording area 724 are respectively the same as the datarecorded in the first encrypted media key data recording area 121, thesecond encrypted media key data recording area 122, the encryptedcontent key recording area 123, and the encrypted content recording area124 in the first embodiment of the present invention, their descriptionshall be omitted.

According to the present embodiment, with the aforementionedconfiguration, the apparatuses, apart from the first category apparatus2 and the second category apparatus 3, are able to decrypt the correctmedia key (MK), and the first category apparatus 2 and the secondcategory apparatus 3 can be excluded from the system.

Furthermore, in the present embodiment, in the case where it is judgedthat the revocation for the first category apparatuses has stoppedfunctioning, the revocation system for the first category apparatuses isupdated. Description of the updating method shall be omitted as the samemethod as that mentioned previously in the first embodiment of thepresent invention can be adopted.

Moreover, as the device keys (DKB1 to DKBn) used in generating thesecond encrypted media key are not changed during the system update, nochanges need to be made for recording apparatuses and reproductionapparatuses belonging to the second category.

According to above-configured second embodiment of the presentinvention, there is no need for first category apparatuses (therecording apparatus 800 and the reproduction apparatus 1000) and secondcategory apparatuses (the recording apparatus 900 and the reproductionapparatus 1100) to read the first or the second encrypted media key datawhich are for revoking respective reproduction apparatuses of thedifferent categories. Therefore, the memory capacity provided within theapparatus can be made smaller and processing time can also be reduced.Furthermore, the encryption algorithm used in generating the firstencrypted media key data can be made different from the encryptionalgorithm used in generating the second encrypted media key data.Therefore, even in the case where the revocation system of the firstcategory apparatuses falls into a situation where it is exposed, therevocation system can be changed, without affecting the second categoryapparatuses, by changing (a) the key length of the device keys providedto the first category apparatuses and (b) the generation algorithm ofthe first encrypted media key data. This is particularly effective inthe case where, as in the first embodiment, (a) the first categoryrefers to an apparatus implemented through software for which updatingand adding of decryption algorithms and keys is easy but sturdyimplementation is difficult, and (b) the second category refers to anapparatus implemented through hardware which is sturdy but updating andadding of decryption algorithms and keys is difficult.

Moreover, although the present embodiment adopts a configuration inwhich the recording apparatus and reproduction apparatus of eachcategory are different apparatuses, the present embodiment is notlimited to this configuration. For example, it is also possible to havea configuration in which a recording apparatus and a reproductionapparatus are in the same apparatus.

Furthermore, although in FIG. 7 in the present embodiment, aconfiguration is assumed in which the media key and content key areinputted from a source outside of the key generation apparatus 700, thepresent invention is not limited to such configuration. For example, itis also possible to have a configuration in which the key generationapparatus 700 includes a storage unit for storing the media key and thecontent key. Furthermore, it is also possible for to have aconfiguration in which the key generation apparatus 700 includes ageneration unit which generates the media key and the content key asrequired.

Furthermore, although in FIG. 8 and FIG. 9 in the present embodiment, atwo-stage configuration is assumed in which the content key is obtainedby decrypting the encrypted content key using the media key, and thenthe content is encrypted using the obtained content key, the presentinvention is not limited to such configuration. For example, it is alsopossible to have a single-stage configuration in which a content isencrypted directly using a media key. Furthermore, it is also possibleto have a configuration in which a content is encrypted using a contentkey generated within the recording apparatus, then the content key isencrypted using a media key, and then the encrypted content and theencrypted content key are recorded onto a recording medium. In addition,it is also possible to have a configuration in which the stages forencryption are further increased through the addition of keys.

Furthermore, as shown in FIG. 7, in the present embodiment, the keygeneration unit assumes an integrated configuration for the device keystorage unit and the media key encryption unit for each category, thecontent key encryption unit, as well as the recording of respective dataonto the recording medium. However, the present invention is not limitedto such configuration. For example, it is also possible to have aconfiguration in which (a) the device key storage unit and the media keyencryption unit for each category, as well as the content key encryptionunit are built into an apparatus which is provided in a facility whichoperates the key management of the entire system and the key issuancefor the reproduction apparatuses, as their management and operationrequire great confidentiality, and (b) the recording of respective dataonto the recording medium is executed by an apparatus provided in arecording medium manufacturing facility. Generally, a rewritable orrecordable optical disc includes an area that can be recorded on usingthe recording apparatus possessed by a common user, and a playback-onlyarea which cannot be recorded onto using the recording apparatuspossessed by the common user. A disc manufacturer records data onto theplayback-only area prior to shipment. In this case, the recording ofdata onto the playback-only area by the disc manufacturer is generallycarried out by recording the data in a master referred to as a stamper,and using such stamper in a pressing operation. The present inventioncan be applied even in the case where the encrypted media key data isrecorded onto the recording medium in such an operation for recordingdata onto the playback-only area by a disc manufacturer.

Third Embodiment

The third embodiment of the present invention is an application of thepresent invention in a system in which a content is distributed using aplayback-only recording medium, and the distributed content isreproduced using reproduction apparatuses, as in the first embodiment.Furthermore, it is characterized by recording revocation data, which isread by reproduction apparatuses belonging to a first and secondcategory, onto a recording medium using two media keys, a first and asecond media key, per recording medium.

Hereinafter, the third embodiment of the present invention shall bedescribed with reference to the diagrams. FIG. 13 shows a recordingapparatus 1300 which encrypts a content and records the encryptedcontent, and a recording medium 1320. FIG. 14 shows a first categoryreproduction apparatus 1400 which reads-out and decrypts, the encryptedcontent from the recording medium 1320. FIG. 15 shows a second categoryreproduction apparatus 1500 which reads-out and decrypts, the encryptedcontent from the recording medium 1320. Furthermore, FIG. 16 shows aspecific example of various data to be recorded on the recording medium1320.

The recording apparatus 1300 in FIG. 13 is different from the recordingapparatus in FIG. 1 in being separately provided with a first media keyfor the first category and a second media key for the second category,and encrypting the first and second media keys in a first media keyencryption unit 1305 and a second media key encryption unit 1306,respectively, then encrypting a content key in a first content keyencryption unit 1307 and a second content key encryption unit 1308 usingthe first and the second media keys, respectively, and then recordingthe output on the recording medium 1320. As the rest of the points arethe same as in the recording apparatus 100 in FIG. 1, description shallbe omitted.

The recording medium 1320 includes the following: a first encryptedmedia key data recording area 1321 for recording first encrypted mediakey data generated by the first media key encryption unit 1305; a secondencrypted media key data recording area 1322 for recording secondencrypted media key data generated by the second media key encryptionunit 1306; a first encrypted content key recording area 1323 forrecording the first encrypted content key generated by the first contentkey encryption unit 1307; a second encrypted content key recording area1324 for recording the second encrypted content key generated by thesecond content key encryption unit 1308; and an encrypted contentrecording area 1325 for recording the encrypted content generated by thecontent encryption unit 1309.

The first category reproduction apparatus 1400 and the second categoryreproduction apparatus 1500 obtain the content key by respectivelydecrypting the first and the second encrypted content keys read out fromthe recording medium 1320. As the rest of the points are the same as inthe first category reproduction apparatus 200 and the second categoryreproduction apparatus 300 in the first embodiment, their descriptionshall be omitted.

FIG. 16 shows a specific example of the various data to be recorded onthe recording medium 1320 in the case where it is assumed that m-unitsof first category reproduction apparatuses and n-units of secondcategory reproduction apparatuses hold only one unique device key each,and a first category reproduction apparatus 2 and a second categoryreproduction apparatus 3 are revoked. In FIG. 16, it is assumed that afirst category reproduction apparatus “i” (i=1 to m) holds a device keyDKAi, a second category reproduction apparatus “j” (j=1 to n) holds adevice key DKBj. Furthermore, Ea (X, Y), Eb (X, Y), Ec (X, Y) and Ed (X,Y), and Ee (X, Y) represent functions for encrypting data Y using keydata X. In addition, the encryption algorithm used can be realized bycommonly known technology, and the present embodiment makes use of DEScryptography having a key length of 56 bits.

(The First Encrypted Media Key Data Recording Area 1321)

A first media key (MK1) encrypted using device keys (DKA1 to DKAm) heldby the first category reproduction apparatuses is recorded in the firstencrypted media key data recording area 1321. Here, the first categoryreproduction apparatus 2 is revoked, and data “0” which has absolutelyno relation to the first media key (MK1), is encrypted and recorded inDKA2. This is the result of having the reproduction apparatus 2 inputtedto the first media key encryption unit 1305 as the information on therecording apparatus to be revoked within the first category, during thegeneration of the first encrypted media key data, and processed so thatthe correct media key cannot be obtained by the reproduction apparatus2. By generating first encrypted media key data in this manner, thefirst category reproduction apparatuses, apart from the reproductionapparatus 2, are able to decrypt the correct, first media key (MK1), andthe first category reproduction apparatus 2 can be excluded from thesystem.

(The Second Encrypted Media Key Data Recording Area 1322)

A second media key (MK2) encrypted using device keys (DKB1 to DKBn) heldby the second category reproduction apparatuses is recorded in thesecond encrypted media key data recording area 1322. Here, the secondcategory reproduction apparatus 3 is revoked, and data “0” which hasabsolutely no relation to the second media key (MK2), is encrypted andrecorded in DKB3. This is a result of having the reproduction apparatus3 inputted to the second media key encryption unit 1306 as theinformation on the reproduction apparatus to be revoked among the secondcategory, during the generation of the second encrypted media key data,and processed so that the correct media key cannot be obtained by thereproduction apparatus 3. By generating the second media key data inthis manner, the second category reproduction apparatuses, apart fromthe recording apparatus 3, are able to decrypt the correct second mediakey (MK2), and the second category recording apparatus 3 can be excludedfrom the system.

(The First Encrypted Content Key Recording Area 1323)

A content key (CK) which is encrypted using the first media key (MK1) isrecorded in the first encrypted content key recording area 1323.

(The Second Encrypted Content Key Recording Area 1324)

The content key (CK) which is encrypted using the second media key (MK2)is recorded in the second encrypted content key recording area 1324.

(The Encrypted Content Recording Area 1325)

A content which is encrypted using the content key (CK) is recorded inthe encrypted content recording area 1325.

In the above-configured first embodiment of the present invention, inthe case where, for example, a number of device keys provided to thefirst category recording apparatuses and the algorithms for decryptingthe first encrypted media key data and the first encrypted content keyare illicitly exposed over the Internet, and it is judged that therevocation for the first category reproduction apparatuses has stoppedfunctioning, the revocation system for the first category reproductionapparatuses is updated. Specific examples are described hereinafter.

(System Update Specific Example 1)

FIG. 17 shows a specific example 1 for various data to be recorded on anew recording medium 1320 which is created after it is judged that therevocation for the first category reproduction apparatuses has stoppedfunctioning. The difference with FIG. 16 is that the device keys DKA1 toDKAm used in generating the first encrypted media key data are changedto DKA′1 to DKA′m. As this is the same as the system update specificexample 1 described in the aforementioned first embodiment, descriptionof details shall be omitted.

Here, as each device key among the new device keys (DKA′1 to DKA′m) doesnot match any of the pre-system update device keys (DKA1 to DKAm), evenwhen a device key, apart from DKA2, is exposed through an illicitcryptanalysis prior to the system update, the media key (MK1) cannot beobtained by using such device key to decrypt the first encrypted mediakey data which is read out from the recording medium in FIG. 17, and thecontent cannot be reproduced.

Moreover, as the device keys (DKB1 to DKBn) used in the generation ofthe second encrypted media key data are not changed during theaforementioned system update, no changes need to be made for thereproduction apparatuses belonging to the second category.

(System Update Example 2)

FIG. 18 shows a specific example 2 for various data to be recorded on anew recording medium 1320 which is created after it is judged that therevocation for the first category reproduction apparatuses has stoppedfunctioning. The difference with FIG. 16 is that the device keys DKA1 toDKAm used in generating the first encrypted media key data are changedto DKA′1 to DKA′m, the encryption algorithm for the first encryptedmedia key data is changed from Ea (X, Y) to Ea′ (X, Y), and theencryption algorithm for the first encrypted content key is changed fromEc (X, Y) to Ec′ (X, Y). Here, each device key among the new device keys(DKA′1 to DKA′m) does not match any of the pre-system update device keys(DKA1 to DKAm).

On the other hand, each first category reproduction apparatus 1400,which is not revoked, is provided with a new device key which is storedin a device key storage unit 1401. A decryption algorithm Da′ (X, Y) fordecrypting the first encrypted media key in FIG. 18 is built into amedia key decryption unit 1402, in addition to a decryption algorithm Da(X, Y) for decrypting the first encrypted media key data in FIG. 16,which has been built-in since before. Furthermore, a decryptionalgorithm Dc′ (X, Y) for decrypting the first encrypted content key inFIG. 18 is built into a content key decryption unit 1403, in addition toa decryption algorithm Dc (X, Y) for decrypting the first encryptedcontent key in FIG. 16, which has been built-in since before. Forexample, a first category reproduction device m holds a newly provideddevice key (DKA′m), in addition to a device key (DKAm) that it has beenholding since before. When reproducing the recording medium in FIG. 16,the reproduction apparatus m uses the device key DKAm and the encryptionalgorithm Da (X, Y) to decrypt the first encrypted media key data andobtain the first media key (MK1). It then uses the obtained first mediakey (MK1) and the encryption algorithm Dc (X, Y) to decrypt the firstencrypted content key and obtain the content key (CK), and then uses theobtained content key (CK) to decrypt the encrypted content. On the otherhand, when reproducing the recording medium in FIG. 18, the reproductionapparatus m uses the device key DKA′m and the encryption algorithm Da′(X,Y) to decrypt the first encrypted media key data and obtain the firstmedia key (MK1). It then uses the obtained first media key (MK1) and theencryption algorithm Dc′ (X, Y) to decrypt the first encrypted contentkey and obtain the content key (CK), and then uses the obtained contentkey (CK) to decrypt the encrypted content. In the present embodiment, Ea(X, Y) and Da (X, Y), Ec (X, Y) and Dc (X, Y) use a DES cryptographhaving a key length of 56 bits. In contrast, Ea′ (X, Y) and Da′ (X, Y),Ec′ (X, Y), Dc′ (X, Y) use a 112-bit key length cryptograph known as atwo-key triple DES.

Here, as each device key among the new device keys (DKA′1 to DKA′m) doesnot match any of the pre-system update device keys (DKA1 to DKAm), evenwhen a device key, apart from DKA2, is exposed through an illicitcryptanalysis prior to the system update, the media key (MK1) cannot beobtained by using such device key to decrypt the first encrypted mediakey data which is read out from the recording medium in FIG. 18, and thecontent cannot be reproduced.

Furthermore, as it is possible to increase the encryption strength bychanging the key length of the device key and the encryption algorithm,practices such as the illicit obtainment of a device key through thecryptanalysis of the system can be hindered.

Moreover, as the device keys (DKB1 to DKBn) used in the generation ofthe second encrypted media key data, the encryption algorithm of thesecond encrypted media key data, and the encryption algorithm of thesecond content key data are not changed during the aforementioned systemupdate, no changes need to be made for the reproduction apparatusesbelonging to the second category.

According to the above-configured third embodiment of the presentinvention, there is no need for the first category reproductionapparatus 1400 and the second category reproduction apparatus 1500 toread the first or second encrypted media key data which are for revokingrespective reproduction apparatuses of the different categories.Therefore, the memory capacity provided within the apparatus can be madesmaller and processing time can also be reduced. Furthermore, theencryption algorithms used in generating the first encrypted media keydata and the first encrypted content key can be made different from theencryption algorithms used in generating the second encrypted media keydata and the second encrypted content data, respectively. Therefore,even in the case where the revocation system of the first categoryreproduction apparatuses falls into a situation where it is exposed, therevocation system can be changed, without affecting the second categoryreproduction apparatuses, by changing (a) the key length of the devicekeys provided to the first category reproduction apparatuses and (b) thegeneration algorithm of the first encrypted media key data.

Furthermore, by having separate media keys for the first category andthe second category, and providing stages of encrypted content keysrespectively using such media keys, in the present embodiment, theindependence between categories can be increased. More specifically,even in the case where a device key is exposed from a reproductionapparatus belonging to the first category, the media key that can beobtained using such device key is limited to the first media key only,and thus it is possible to prevent the second media key from beingexposed. This is particularly effective in the case where, as in thepresent embodiment, (a) the first category refers to a reproductionapparatus implemented through software for which updating and adding ofdecryption algorithms and keys is easy but sturdy implementation isdifficult, and (b) the second category refers to a reproductionapparatus implemented through hardware which is sturdy but updating andadding of decryption algorithms and keys is difficult.

Moreover, although in FIG. 13, a configuration is assumed in which thefirst media key, the second media key, and the content key are inputtedfrom a source outside of the recording apparatus 1300, the presentinvention is not limited to such configuration. For example, it is alsopossible to have a configuration in which the recording apparatus 1300includes a storage unit for storing the first media key, the secondmedia key, and content key. Furthermore, it is also possible for to havea configuration in which the recording apparatus 1300 includes ageneration unit which generates the first media key, the second mediakey, and content key as required.

Furthermore, although in FIG. 13, a two-stage configuration is assumedin which the content is encrypted using the content key, and then thecontent key is encrypted using the first and the second media key, thepresent invention is not limited to such configuration. For example, itis also possible to have a configuration in which the stages forencryption are further increased through the addition of keys.

Furthermore, as shown in FIG. 13, the recording apparatus in the presentembodiment assumes an integrated configuration for the device keystorage unit, the media key encryption unit and the content keyencryption unit for each category, the content encryption unit, as wellas the recording of respective data onto the recording medium. However,the present invention is not limited to such configuration. For example,it is also possible to have a configuration in which (a) the device keystorage unit, the media key encryption unit and the content keyencryption unit for each category (the section enclosed in broken linesin FIG. 13) are built into an apparatus which is provided in a facilitywhich operates the key management of the entire system and the keyissuance for the reproduction apparatuses, as their management andoperation require great confidentiality, and (b) the content encryptionunit and the recording of respective data onto the recording medium isexecuted by an apparatus provided in a content manufacturing facility ora recording medium manufacturing facility.

Furthermore, in the present embodiment, during the generation of thefirst encrypted media key data in the system updating, data is alsoassigned to the revoked reproduction apparatuses at the time of systemupdating, as in Ea (DKA′2, 0) in FIG. 17 and Ea′ (DKA′2, 0) in FIG. 18.However, it is also possible to have a configuration in which data isnot assigned to a revoked recording apparatus. In that case, theposition of the encrypted media key to be used by the reproductionapparatuses which are not revoked is also updated, and by providing newposition information when a new device key is provided, the reproductionapparatuses that are not revoked can use the appropriate data and obtainthe correct media key even if there is a change in the position of theencrypted media key before and after the system update. In such a case,the volume of data that needs to be stored in the first encrypted mediakey data recording area after the system update can be reduced.Alternatively, when the maximum value for the volume is limited, thenumber of new reproduction apparatuses belonging to the first categorycan be increased.

Furthermore, although the present embodiment adopts a method in whichrevocation of a reproduction apparatus is performed using encryptedmedia key data such as that shown in FIG. 16, a different method can beused for the method for revocation. For example, the revocation methodutilizing a tree-structure, disclosed in patent reference 1 can also beused.

Furthermore, although the present embodiment makes use of the DES havinga 56-bit key length as the encryption algorithm, and the two-key tripleDES having a 112-bit key length as the post-system update algorithm, thepresent invention is not limited to such, and can also use otherencryption algorithms such as AES having a 128-bit key length, forexample, which is referred to as a next-generation standard cryptograph.

Moreover, although the present embodiment is an application of thepresent invention in a system in which a content is distributed using aplayback-only recording medium, and the distributed content isreproduced using reproduction apparatuses, the present invention is notlimited to such application. The present invention can also be appliedin a system utilizing a rewritable or recordable recording medium, byassuming a configuration in which encrypted media key data and anencrypted content key for each category are generated and recorded ontoa recording medium by a key generation apparatus, and the encryptedmedia key data and the encrypted content key are decrypted and thecontent encrypted by a recording apparatus, in the same manner as in theaforementioned second embodiment.

Fourth Embodiment

The fourth embodiment of the present invention is an application of thepresent invention in a system in which a content is distributed using aplayback-only recording medium, and the distributed content isreproduced using reproduction apparatuses, as in the first embodiment.Furthermore, a recording apparatus in the fourth embodiment uses a firstcontent key and a second content key to encrypt a content twice.

Hereinafter, the fourth embodiment of the present invention shall bedescribed with reference to the diagrams. FIG. 19 shows a recordingapparatus 1900 which encrypts a content and records the encryptedcontent, and a recording medium 1920. FIG. 20 shows a first reproductionapparatus 2000 which reads-out and decrypts, the encrypted content fromthe recording medium 1920. FIG. 21 shows a second reproduction apparatus2100 which reads-out and decrypts, the encrypted content from therecording medium 1920. Furthermore, FIG. 22 shows a specific example ofvarious data to be recorded on the recording medium 1920.

The recording apparatus 1900 in FIG. 19 is different from the recordingapparatus 100 in FIG. 1 in having a first content encryption unit 1909perform a first content encryption on the content, using a first contentkey, then having a second content encryption unit 1910 perform a secondcontent encryption on the output, using a second content key, thenhaving the first content key encryption unit 1907 and a second contentkey encryption unit 1908 encrypt, using a media key, the first and thesecond content keys, respectively, using a media key, and then recordingthe output on the recording medium 1920. As the rest of the points arethe same as in the recording apparatus 100 in FIG. 1, description shallbe omitted.

The recording medium 1920 includes the following: a first encryptedmedia key data recording area 1921 for recording first encrypted mediakey data; a second encrypted media key data recording area 1922 forrecording second encrypted media key data; a first encrypted content keyrecording area 1923 for recording the first encrypted content keygenerated by the first content key encryption unit 1907; a secondencrypted content key recording area 1924 for recording the secondencrypted content key generated by the second content key encryptionunit 1908; and an encrypted content recording area 1925 for recordingthe encrypted content generated by the second content encryption unit1910.

The first reproduction apparatus 2000, such as a PC or the like, is madeup of a read-out apparatus 2010 such as a drive apparatus for example;and a decryption apparatus 2020 which realizes the decryption of acontent using an application for example. Moreover, the fourthembodiment is characterized by having the decryption of an encryptedcontent performed also in the read-out apparatus 2010 such as a driveapparatus, and the like.

The read-out apparatus 2010 includes the following: a device key storageunit 2011 which confidentially holds a device key; a second media keydecryption unit 2012 which obtains the media key by decrypting, usingthe device key, the second encrypted media key data which is read outfrom the recording medium 1920; a second content key decryption unit2013 which obtains the content key by decrypting, using the obtainedmedia key, the second encrypted content key which is read out from therecording medium; and a second content decryption unit 2014 whichperforms a second content decryption process, using the obtained contentkey, on the encrypted content which is read out from the recordingmedium 1920. The performance of the second decryption process on theencrypted content by the second content decryption unit 2014 results inintermediate data which is then supplied to the decryption apparatus2020, together with the first encrypted media key data and the firstencrypted content key which are read out from the recording medium 1920.In the present embodiment, it is assumed that the read-out apparatus2010 has the aforementioned component elements implemented throughhardware, and belongs to the second category.

The decryption unit 2020 includes the following: a device key storageunit 2021 which confidentially holds the device key; a first media keydecryption unit 2022 which obtains the media key by decrypting, usingthe device key, the first encrypted media key supplied by the read-outapparatus 2010; a first content key decryption unit 2023 which obtainsthe first content key by decrypting, using the obtained media key, thefirst encrypted content key supplied by the read-out apparatus 2010; anda first content decryption unit 2024 which obtains the content byperforming a first content decryption process using the obtained firstcontent key, on the intermediate data supplied by the read-out apparatus2010. In the present embodiment, it is assumed that the decryption unit2020 has the aforementioned component elements implemented throughsoftware, and belongs to the first category.

The second reproduction apparatus 2100 is a second category reproductionapparatus, and includes the following: a device key storage unit 2101which confidentially holds a device key; a media key decryption unit2102 which obtains the media key by decrypting, using the device key,the second encrypted media key data which is read out from the recordingmedium 1920; a second content key decryption unit 2103 which obtains thesecond content key by decrypting, using the obtained media key, thesecond encrypted content key which is read out from the recordingmedium; and a second content decryption unit 2104 which, using theobtained second content key, performs a second content decryptionprocess on the encrypted content which is read out from the recordingmedium 1920; a first content key decryption unit 2105 which obtains afirst content key by decrypting, using the obtained media key, the firstencrypted content key data read out from the recording medium; and afirst content decryption unit 2106 which obtains the content byperforming a first content decryption process using the first contentkey, on the output of the second content decryption unit 2104. In thepresent embodiment, it is assumed that the second reproduction apparatus2100 has the aforementioned component elements implemented throughhardware, and belongs to the second category.

In the present embodiment, it is assumed that a decryption apparatuswhich is implemented through software, as in an application program in apersonal computer, is a decryption apparatus belonging to the firstcategory, and an apparatus which is implemented through hardware, as inan optical disk drive which is connected or built into a commonhousehold player as well as a personal computer, is assumed as anapparatus belonging to the second category.

FIG. 22 shows a specific example of the various data to be recorded onthe recording medium 1920 in the case where it is assumed that m-unitsof first category decryption apparatuses and n-units of second categoryapparatuses hold only one unique device key each, and a first categorydecryption apparatus 2 and a second category apparatus 3 are revoked. InFIG. 22, it is assumed that a first category decryption apparatus “i”(i=1 to m) holds a device key DKAi, a second category apparatus “j” (j=1to n) holds a device key DKAj. Furthermore, Ea (X, Y), Eb (X, Y), Ec (X,Y), Ed (X, Y), Ee (X, Y), and Ef (X, Y) represent functions forencrypting data Y using key data X. In addition, the encryptionalgorithm used can be realized by commonly known technology, and thepresent embodiment makes use of DES cryptography having a key length of56 bits.

Data recorded in the first encrypted media key data recording area 1921and the second encrypted media key data recording area 1922 are the sameas the data recorded in the first encrypted media key data recordingarea 121 and the second encrypted media key data recording area 122,respectively, in the previously described first embodiment, and theirdescription shall be omitted.

(The First Encrypted Content Key Recording Area 1923)

A first content key (CK1) which is encrypted using the media key (MK) isrecorded in the encrypted content key recording area 1923.

(The Second Encrypted Content Key Recording Area 1924)

A second content key (CK2) which is encrypted using the media key (MK)is recorded in the encrypted content key recording area 1924.

(The Encrypted Content Recording Area 1925)

A content which is encrypted using the first content key (CK1) and thesecond content key (CK2) is recorded in the encrypted content recordingarea 124.

In the above-configured fourth embodiment of the present invention, inthe case where, for example, a number of device keys provided to thefirst category decryption apparatuses and the algorithm for decryptingthe first encrypted media key data are illicitly exposed over theInternet, and it is judged that the revocation for the first categorydecryption apparatuses has stopped functioning, the revocation systemfor the first category decryption apparatuses is updated. Specificexamples are described hereinafter.

(System Update Specific Example 1)

FIG. 23 shows a specific example 1 for various data to be recorded on anew recording medium 1920 which is created after it is judged that therevocation for the first category decryption apparatuses has stoppedfunctioning. The difference with FIG. 22 is that the device keys DKA1 toDKAm used in generating the first encrypted media key data are changedto DKA′1 to DKA′m. As this is the same as the system update specificexample 1 described in the aforementioned first embodiment, descriptionof details shall be omitted.

Here, as each device key among the new device keys (DKA′1 to DKA′m) doesnot match any of the pre-system update device keys (DKA1 to DKAm), evenwhen a device key, apart from DKA2, is exposed through an illicitcryptanalysis prior to the system update, the media key (MK) cannot beobtained by using such device key to decrypt the first encrypted mediakey data which is read out from the recording medium in FIG. 23, and thecontent cannot be reproduced.

Moreover, as the device keys (DKB1 to DKBn) used in the generation ofthe second encrypted media key data are not changed during theaforementioned system update, no changes have to be made for theapparatuses belonging to the second category.

(System Update Example 2)

FIG. 24 shows a specific example 2 for various data to be recorded on anew recording medium 1920 which is created after it is judged that therevocation for the first category decryption apparatuses has stoppedfunctioning. The difference with FIG. 22 is that the device keys DKA1 toDKAm used in generating the first encrypted media key data are changedto DKA′1 to DKA′m, and the encryption algorithm is changed from Ea (X,Y) to Ea′ (X, Y). As this is the same as the system update specificexample 2 described in the aforementioned first embodiment, descriptionof details shall be omitted.

Here, as each device key among the new device keys (DKA′1 to DKA′m) doesnot match any of the pre-system update device keys (DKA1 to DKAm), evenwhen a device key, apart from DKA2, is exposed through an illicitcryptanalysis prior to the system update, the media key (MK) cannot beobtained by using such device key to decrypt the first encrypted mediakey data which is read out from the recording medium in FIG. 24, and thecontent cannot be reproduced.

Furthermore, as it is possible to increase the encryption strength bychanging the key length of the device key and the encryption algorithm,practices such as the illicit obtainment of a device key through thecryptanalysis of the system can be hindered.

Moreover, as the device keys (DKB1 to DKBn) used in the generation ofthe second encrypted media key data, and the encryption algorithm of thesecond encrypted media key data, are not changed during theaforementioned system update, no changes need to be made for theapparatuses belonging to the second category.

According to the above-configured fourth embodiment of the presentinvention, there is no need for the first category apparatuses (thedecryption apparatus 2020) and the second category apparatuses (read-outapparatus 2010 and second reproduction apparatus 2100) to read the firstor second encrypted media key data which are for revoking respectiveapparatuses of the different categories. Therefore, the memory capacityprovided within the apparatus can be made smaller and processing timecan also be reduced. Furthermore, the encryption algorithm used ingenerating the first encrypted media key data can be made different fromthe encryption algorithm used in generating the second encrypted mediakey data. Therefore, even in the case where the revocation system of thefirst category decryption apparatuses falls into a situation where it isexposed, the revocation system can be changed, without affecting thesecond category apparatuses, by changing (a) the key length of thedevice keys provided to the first category decryption apparatuses and(b) the generation algorithm of the first encrypted media key data. Inaddition, as the algorithm for decrypting the second encrypted contentkey is not installed in the first category decryption apparatus 2020,even when any of the first category decryption apparatuses iscryptanalized and the device key which it holds and the decryptionalgorithm is exposed, all of the information needed for the decryptionof the content cannot be obtained, and thus a stronger copyrightprotection system can be constructed. This is particularly effective inthe case where, as in the present embodiment, (a) the first categoryrefers to a decryption apparatus implemented through software for whichupdating and adding of decryption algorithms and keys is easy but sturdyimplementation is difficult, and (b) the second category refers to areproduction apparatus or a read apparatus implemented through hardwarewhich is sturdy but updating and adding of decryption algorithms andkeys is difficult.

Moreover, although in FIG. 19, a configuration is assumed in which themedia key, the first content key, and the second content key areinputted from a source outside of the recording apparatus 1900, thepresent invention is not limited to such configuration. For example, itis also possible to have a configuration in which the recordingapparatus 1900 includes a storage unit for storing the media key, thefirst content key, and the second content key. Furthermore, it is alsopossible for to have a configuration in which the recording apparatus1900 includes a generation unit which generates the media key, the firstcontent key, and the second content key, as required.

Furthermore, although in FIG. 19 in the present embodiment, a two-stageconfiguration is assumed in which the content is encrypted using thefirst and the second content key, and then the first and the secondcontent keys are encrypted using the media key, the present invention isnot limited to such configuration. For example, it is also possible tohave a configuration in which the stages for encryption are furtherincreased through the addition of keys.

Furthermore, as shown in FIG. 19, the recording apparatus in the presentembodiment assumes an integrated configuration for the device keystorage unit, the media key encryption unit, the content key encryptionunit and the content encryption unit for each category, as well as therecording of respective data onto the recording medium. However, thepresent invention is not limited to such, and it is possible to have aconfiguration in which the recording apparatus is separated. Forexample, it is also possible to have a configuration in which (a) thedevice key storage unit, the media key encryption unit and the contentkey encryption unit for each category (the section enclosed in brokenlines in FIG. 19) are built into an apparatus which is provided in afacility which operates the key management of the entire system and thekey issuance for the reproduction apparatuses, as their management andoperation require great confidentiality, and (b) the content encryptionunits and the recording of respective data onto the recording medium isexecuted by an apparatus provided in a content manufacturing facility ora recording medium manufacturing facility.

Furthermore, in the present embodiment, during the generation of thefirst encrypted media key data in the system updating, data is alsoassigned to the revoked decryption apparatuses at the time of systemupdating, as in Ea (DKA′2, 0) in FIG. 23 and Ea′ (DKA′2, 0) in FIG. 24.However, it is also possible to have a configuration in which data isnot assigned to a revoked decryption apparatus. In that case, theposition of the encrypted media key to be used by the decryptionapparatuses which are not revoked is also updated, and by providing newposition information when a new device key is provided, the decryptionapparatuses that are not revoked can use the appropriate data and obtainthe correct media key even if the position of the encrypted media keyhas changed before and after the system update. In such a case, thevolume of data that needs to be stored in the first encrypted media keydata recording area after the system update can be reduced.Alternatively, when the maximum value for the volume is limited, itbecomes possible to increase the number of new decryption apparatusesbelonging to the first category.

Furthermore, although the present embodiment adopts a method in whichrevocation of a decryption apparatus is performed using encrypted mediakey data such as that shown in FIG. 22, a different method can be usedfor the method for revocation. For example, the revocation methodutilizing a tree-structure, disclosed in patent reference 1 can also beused.

Furthermore, although the present embodiment makes use of the DES havinga 56-bit key length as the encryption algorithm, and the two-key tripleDES having a 112-bit key length as the post-system update algorithm, thepresent invention is not limited to such, and can also use otherencryption algorithms such as AES having a 128-bit key length, forexample, which is referred to as a next-generation standard cryptograph.

Furthermore, although in FIG. 22, after the entirety of the content isencrypted using the first content key (CK1), it is further encryptedusing the second content key (CK2), the present invention is not limitedto such. For example, the content can be divided into several blocks,with some blocks being encrypted using the first content key (CK1) andthe rest of the blocks being encrypted using the second content key(CK2).

Moreover, although the present embodiment is an application of thepresent invention in a system in which a content is distributed using aplayback-only recording medium, and the distributed content isreproduced using reproduction apparatuses, the present invention is notlimited to such application. The present invention can also be appliedin a system utilizing a rewritable or recordable recording medium, byassuming a configuration in which encrypted media key data and anencrypted content key for each category are generated and recorded ontoa recording medium by a key generation apparatus, and the encryptedmedia key data and the encrypted content key are decrypted and thecontent encrypted by a recording apparatus, in the same manner as in theaforementioned second embodiment.

Fifth Embodiment

In the fifth embodiment, the system in the fourth embodiment is providedwith separate media keys for the first category and the second category,and provided with stages of first encrypted content keys respectivelyusing such media keys.

Furthermore, the fifth embodiment is characterized by the addition of anew second reproduction apparatus into the configuration of thereproduction apparatus 2000 in the fourth embodiment, together with theuse of a first media and a second media key, and a first content key anda second content key.

Hereinafter, the fifth embodiment of the present invention shall bedescribed with reference to the diagrams. FIG. 25 shows a recordingapparatus 2500 which encrypts a content and records the encryptedcontent, and a recording medium 2520. FIG. 26 shows a first reproductionapparatus 2600 which reads-out and decrypts the encrypted content fromthe recording medium 2520. FIG. 27 shows a second reproduction apparatus2700 which reads-out and decrypts the encrypted content from therecording medium 2520. Furthermore, FIG. 28 shows a specific example ofvarious data to be recorded on the recording medium 2520.

The recording apparatus 2500 in FIG. 25 is different from the recordingapparatus 1900 in FIG. 19 in being separately provided with a firstmedia key for the first category and a second media key for the secondcategory, then encrypting the first and the second media key in a firstmedia key encryption unit 2505 and a second media key encryption unit2506, respectively, then encrypting the first content key in a firstcontent key encryption unit (1) 2507 and a first content key encryptionunit (2) 2511, using the first and the second media keys, respectively,and then recording the output on the recording medium 2520. As the restof the points are the same as in the recording apparatus 1900 in theaforementioned fourth embodiment, their description shall be omitted.

The recording medium 2520 includes the following: a first encryptedmedia key data recording area 2521 for recording first encrypted mediakey data; a second encrypted media key data recording area 2522 forrecording second encrypted media key data; a first encrypted content key(1) recording area 2523 for recording the first encrypted content key(1) generated by the first content key encryption unit (1) 2507; a firstencrypted content key (2) recording area 2526 for recording the firstencrypted content key (2) generated by the first content key encryptionunit (2) 2511; a second encrypted content key recording area 2524 forrecording the second encrypted content key; and an encrypted contentrecording area 2525 for recording the encrypted content.

In the first reproduction apparatus 2600, a decryption apparatus 2620obtains the first content key by decrypting the first encrypted contentkey (1) which is read out from the recording medium 2520 by a read-outapparatus 2610. As the rest of the points are the same as in the firstreproduction apparatus 2000 in the aforementioned fourth embodiment,their description shall be omitted.

The second reproduction apparatus 2700 obtains the first content key bydecrypting the first encrypted content key (2) which is read out fromthe recording medium 2520. As the rest of the points are the same as inthe second reproduction apparatus 2100 in the aforementioned fourthembodiment, their description shall be omitted.

FIG. 28 shows a specific example of the various data to be recorded onthe recording medium 2520. A first media key (MK1) encrypted usingdevice keys (DKA1 to DKAm) held by the first category decryptionapparatuses is recorded in the first encrypted media key data recordingarea 2521. A second media key (MK2) encrypted using device keys (DKB1 toDKBm) held by the second category apparatuses is recorded in the secondencrypted media key data recording area 2522. Furthermore, the firstcontent key (CK1) encrypted using the first media key (MK1) is recordedin the first encrypted content key (1) recording area 2523, and thefirst content key (CK1) encrypted using the second media key (MK2) isrecorded in the first encrypted content key (2) recording area 2526. Asthe rest of the points are the same as in FIG. 22 described earlier,their description shall be omitted. Moreover, Eg (X, Y) in FIG. 28refers to functions for encrypting data Y using key data X. The presentembodiment uses DES cryptography having a key length of 56 bits.

In the above-configured fifth embodiment of the present invention, inthe case where, for example, a number of device keys provided to thefirst category decryption apparatuses and the algorithm for decryptingthe first encrypted media key are illicitly exposed over the Internet,and it is judged that the revocation for the first category decryptionapparatuses has stopped functioning, the revocation system for the firstcategory decryption apparatuses is updated. Specific examples aredescribed hereinafter.

(System Update Specific Example 1)

FIG. 29 shows a specific example 1 for various data to be recorded on anew recording medium 2520 which is created after it is judged that therevocation for the first category decryption apparatuses has stoppedfunctioning. The difference with FIG. 28 is that the device keys DKA1 toDKAm used in generating the first encrypted media key data are changedto DKA′1 to DKA′m. As this is the same as the system update specificexample 1 described in the aforementioned first embodiment, descriptionof details shall be omitted.

(System Update Example 2)

FIG. 30 shows a specific example 2 for various data to be recorded on anew recording medium 2520 which is created after it is judged that therevocation for the first category decryption apparatuses has stoppedfunctioning. The difference with FIG. 22 is that the device keys DKA1 toDKAm used in generating the first encrypted media key data are changedto DKA′1 to DKA′m, the encryption algorithm is changed from Ea (X, Y) toEa′ (X, Y), and the encryption algorithm for the first encrypted contentkey (1) is changed from Ec (X, Y) to Ec′ (X, Y). As this is the same asin the system update specific example 2 described in the aforementionedthird embodiment, description of details shall be omitted.

According to the above-configured fifth embodiment of the presentinvention, a strong copyright protection system can be constructed, inthe same manner as in the fourth embodiment. In addition, by havingseparate media keys for the first category and the second category, andproviding stages of the encrypted device keys which respectively usesuch media keys, in the present embodiment, the independence betweencategories can be increased. More specifically, even in the case where adevice key is exposed from an apparatus belonging to the first category,the media key that can be obtained using such device key is limited tothe first media key only, and thus it is possible to prevent the secondmedia key from being exposed. This is particularly effective in the casewhere, as in the present embodiment, (a) the first category refers to adecryption apparatus implemented through software for which updating andadding of decryption algorithms and keys is easy but sturdyimplementation is difficult, and (b) the second category refers to areproduction apparatus or a read apparatus implemented through hardwarewhich is sturdy but updating and adding of decryption algorithms andkeys is difficult.

Moreover, although in FIG. 25 a configuration is assumed in which thefirst media key, the second media key, the first content key, and thesecond content key are inputted from a source outside of the recordingapparatus 2500, the present invention is not limited to suchconfiguration. For example, it is also possible to have a configurationin which the recording apparatus 2500 includes a storage unit forstoring such keys. Furthermore, it is also possible for to have aconfiguration in which the recording apparatus 2500 includes ageneration unit which generates such keys as required.

Furthermore, although in FIG. 25, a configuration is assumed in whichthe content is encrypted using the first and the second content keys,and then the first and the second content keys are encrypted using themedia keys, the present invention is not limited to such configuration.For example, it is also possible to have a configuration in which thestages for encryption are further increased through the addition ofkeys.

Furthermore, as shown in FIG. 25, the recording apparatus in the presentembodiment assumes an integrated configuration for the device keystorage unit, the media key encryption unit, the content key encryptionunit and the content encryption unit for each category, as well as therecording of respective data onto the recording medium. However, thepresent invention is not limited to such, and it is possible to have aconfiguration in which the recording apparatus is separated. Forexample, it is also possible to have a configuration in which (a) thedevice key storage unit, the media key encryption unit and the contentkey encryption unit for each category (the section enclosed in brokenlines in FIG. 25) are built into an apparatus which is provided in afacility which operates the key management of the entire system and thekey issuance for the reproduction apparatuses, as their management andoperation require great confidentiality, and (b) the content encryptionunits and the recording of respective data onto the recording medium isexecuted by an apparatus provided in a content manufacturing facility ora recording medium manufacturing facility.

Furthermore, in the present embodiment, during the generation of thefirst encrypted media key data in the system updating, data is alsoassigned to the revoked decryption apparatuses at the time of systemupdating, as in Ea (DKA′2, 0) in FIG. 29 and Ea′ (DKA′2, 0) in FIG. 30.However, it is also possible to have a configuration in which data isnot assigned to a revoked decryption apparatus. In that case, theposition of the encrypted media key to be used by the decryptionapparatuses which are not revoked is also updated, and by providing newposition information when a new device key is provided, the decryptionapparatuses that are not revoked can use the appropriate data and obtainthe correct media key even if there is a change in the position of theencrypted media key before and after the system update. In such a case,the volume of data that needs to be stored in the first encrypted mediakey data recording area after the system update can be reduced.Alternatively, when the maximum value for the volume is limited, itbecomes possible to increase the number of new decryption apparatusesbelonging to the first category.

Furthermore, although the present embodiment adopts a method in whichrevocation of a decryption apparatus is performed using encrypted mediakey data such as that shown in FIG. 28, a different method can be usedfor the method for revocation. For example, the revocation methodutilizing a tree-structure, disclosed in patent reference 1 can also beused.

Furthermore, although the present embodiment makes use of the DES havinga 56-bit key length as the encryption algorithm, and the two-key tripleDES having a 112-bit key length as the post-system update algorithm, thepresent invention is not limited to such, and can also use otherencryption algorithms such as AES having a 128-bit key length, forexample, which is referred to as a next-generation standard cryptograph.

Furthermore, although in FIG. 28, after the entirety of the content isencrypted using the first content key (CK1), it is further encryptedusing the second content key (CK2), the present invention is not limitedto such. For example, the content can be divided into several blocks,with some blocks being encrypted using the first content key (CK1) andthe rest of the blocks being encrypted using the second content key(CK2).

Moreover, although the present embodiment is an application of thepresent invention in a system in which a content is distributed using aplayback-only recording medium, and the distributed content isreproduced using reproduction apparatuses, the present invention is notlimited to such application. The present invention can also be appliedin a system utilizing a rewritable or recordable recording medium, byassuming a configuration in which encrypted media key data and anencrypted content key for each category are generated and recorded ontoa recording medium by a key generation apparatus, and the encryptedmedia key data and the encrypted content key are decrypted and thecontent encrypted by a recording apparatus, in the same manner as in theaforementioned second embodiment.

Sixth Embodiment

The sixth embodiment of the present invention is an application of thepresent invention in a system in which a content is distributed using aplayback-only recording medium, and the distributed content isreproduced using reproduction apparatuses, as in the first embodiment.

Hereinafter, the sixth embodiment of the present invention shall bedescribed with reference to the diagrams. FIG. 31 shows a recordingapparatus 3100 which encrypts a content and records the encryptedcontent, and a recording medium 3120. FIG. 32 shows a first reproductionapparatus 3200 which reads-out and decrypts, the encrypted content fromthe recording medium 120. FIG. 33 shows a second reproduction apparatus3300 which reads-out and decrypts, the encrypted content from therecording medium 3120. Furthermore, FIG. 34 shows a specific example ofvarious data to be recorded on the recording medium 3120.

The recording apparatus 3100 in FIG. 31 is different from the recordingapparatus 100 in FIG. 1 in generating the content key in a content keygeneration unit 3109 using a first and a second seed which are inputtedfrom an outside source, and then encrypting, using a media key, thefirst and the second seeds in a first seed encryption unit 3107 and asecond seed encryption unit 3108, respectively, and then recording theoutput on the recording medium 3120. As the rest of the points are thesame as in the recording apparatus 100 in FIG. 1, their descriptionshall be omitted.

The recording medium 3120 includes the following: a first encryptedmedia key data recording area 3121 for recording first encrypted mediakey data; a second encrypted media key data recording area 3122 forrecording second encrypted media key data; a first encrypted seedrecording area 3123 for recording a first encrypted seed generated bythe first seed encryption unit 3107; a second encrypted seed recordingarea 3124 for recording a second encrypted seed generated by the secondseed encryption unit 3108; and an encrypted content recording area 3125for recording an encrypted content.

The first reproduction apparatus 3200 is made up of a read-out apparatus3210 and a decryption apparatus 3220.

The read-out apparatus 3210 includes the following: a device key storageunit 3211 which confidentially holds a device key; a second media keydecryption unit 3212 which obtains the media key by decrypting, usingthe device key, the second encrypted media key data which is read outfrom the recording medium 3120; a second seed decryption unit 3213 whichobtains the second seed by decrypting, using the obtained media key, thesecond encrypted seed which is read out from the recording medium. Itthen supplies the obtained second seed to the decryption apparatus 3220together with the first encrypted media key data, the first encryptedseed, and the encrypted contents which are read out from the recordingmedium 3220. In the present embodiment, it is assumed that the read-outapparatus 3210 has the aforementioned component elements implementedthrough hardware, and belongs to the second category.

The decryption unit 3220 includes the following: a device key storageunit 3221 which confidentially holds the device key; a first media keydecryption unit 3222 which obtains the media key by decrypting, usingthe device key, the first encrypted media key supplied by the read-outapparatus 3210; a first seed decryption unit 3223 which obtains thefirst seed by decrypting, using the obtained media key, the firstencrypted seed supplied by the read-out apparatus 3210; a content keygeneration unit 3224 which generates the content key using the obtainedfirst seed and the second seed supplied by the read-out apparatus 3210;and a content decryption unit 3225 which decrypts, using the generatedcontent key, the encrypted content supplied by the read-out apparatus3210. In the sixth embodiment, it is assumed that the decryption unit3220 has the aforementioned component elements implemented throughsoftware, and belongs to the first category. Moreover, it is possible tohave a such a method where, assuming that the first and the second seedsrespectively have 64 bits, a bit concatenation of their respective high28 bits is carried out in the content key generation units 3109 and 3224to obtain a 56-bit content key.

The second reproduction apparatus 3300 is a second category reproductionapparatus, and includes the following: a device key storage unit 3301which confidentially holds the device key; a media key decryption unit3302 which obtains the media key by decrypting, using the device key,the second encrypted media key data which is read out from the recordingmedium 3120; a first seed decryption unit 3303 which obtains the firstseed by decrypting, using the obtained media key, the first encryptedseed which is read out from the recording medium; a second seeddecryption unit 3304 which obtains the second seed by decrypting, usingthe obtained media key, the second encrypted seed which is read out fromthe recording medium 3120; a content key generation unit 3305 whichgenerates the content key from the first seed and the second seed; and acontent decryption unit 3306 which decrypts, using the generated contentkey, the encrypted content which is read out from the recording medium3120. In the sixth embodiment, the second reproduction apparatus 3300has the aforementioned component elements implemented through hardware,and belongs to the second category.

In the present embodiment, it is assumed that a decryption apparatuswhich is implemented through software, as in an application program in apersonal computer, is a decryption apparatus belonging to the firstcategory, and an apparatus which is implemented through hardware, as inan optical disk drive which is connected or built into a commonhousehold player as well as a personal computer, is assumed as anapparatus belonging to the second category.

FIG. 34 shows a specific example of the various data to be recorded onthe recording medium 3120 in the case where it is assumed that m-unitsof first category decryption apparatuses and n-units of second categoryapparatuses hold only one unique device key each, and a first categorydecryption apparatus 2 and a second category apparatus 3 are revoked. InFIG. 34, it is assumed that a first category decryption apparatus “i”(i=1 to m) holds a device key DKAi, a second category apparatus “j” (j=1to n) holds a device key DKAj. Furthermore, Ea (X, Y), Eb (X, Y), Ec (X,Y) and Ed (X, Y), and Ee (X, Y) represent functions for encrypting dataY using key data X. In addition, the encryption algorithm used can berealized by commonly known technology, and the present embodiment makesuse of DES cryptography having a key length of 56 bits.

As the data recorded in the first encrypted media key data recordingarea 3121 and the second media key data recording area 3122 are the sameas the data recorded in the first encrypted media key data recordingarea 121 and the second media key data recording area 122, respectively,in the aforementioned first embodiment, their description shall beomitted.

(The First Encrypted Seed Recording Area 3123)

A first seed (SD1) which is encrypted using the media key (MK) isrecorded in the first encrypted seed recording area 3123.

(The Second Encrypted Seed Recording Area 3124)

A second seed (SD2) which is encrypted using the media key (MK) isrecorded in the first encrypted seed recording area 3124.

(The Encrypted Content Recording Area 3125)

A content which is encrypted using the content key (CK) is recorded inthe encrypted content recording area 3125.

In the above-configured embodiment of the present invention, in the casewhere, for example, a number of device keys provided to the firstcategory decryption apparatuses and the algorithm for decrypting thefirst encrypted media key data are illicitly exposed over the Internet,and it is judged that the revocation for the first category decryptionapparatuses has stopped functioning, the revocation system for the firstcategory decryption apparatuses is updated. Specific examples aredescribed hereinafter.

(System Update Specific Example 1)

FIG. 35 shows a specific example 1 for various data to be recorded on anew recording medium 3120 which is created after it is judged that therevocation for the first category decryption apparatuses has stoppedfunctioning. The difference with FIG. 34 is that the device keys DKA1 toDKAm used in generating the first encrypted media key data are changedto DKA′1 to DKA′m. As this is the same as the system update specificexample 1 described in the aforementioned first embodiment, descriptionof details shall be omitted.

Here, as each device key among the new device keys (DKA′1 to DKA′m) doesnot match any of the pre-system update device keys (DKA1 to DKAm), evenwhen a device key, apart from DKA2, is exposed through an illicitcryptanalysis prior to the system update, the media key (MK) cannot beobtained by using such device key to decrypt the first encrypted mediakey which is read out from the recording medium in FIG. 35, and thecontent cannot be reproduced.

Moreover, as the device keys (DKB1 to DKBn) used in the generation ofthe second encrypted media key data are not changed during theaforementioned system update, no changes have to be made for theapparatuses belonging to the second category.

(System Update Example 2)

FIG. 36 shows a specific example 2 for various data to be recorded on anew recording medium 3120 which is created after it is judged that therevocation for the first category decryption apparatuses has stoppedfunctioning. The difference with FIG. 34 is that the device keys DKA1 toDKAm used in generating the first encrypted media key data are changedto DKA′1 to DKA′m, and the encryption algorithm is changed from Ea (X,Y) to Ea′ (X, Y). As this is the same as the system update specificexample 2 described in the aforementioned first embodiment, descriptionof details shall be omitted.

Here, as each device key among the new device keys (DKA′1 to DKA′m) doesnot match any of the pre-system update device keys (DKA1 to DKAm), evenwhen a device key, apart from DKA2, is exposed through an illicitcryptanalysis prior to the system update, the media key (MK) cannot beobtained by using such device key to decrypt the first encrypted mediakey which is read out from the recording medium in FIG. 36, and thecontent cannot be reproduced.

Furthermore, as it is possible to increase the encryption strength bychanging the key length of the device key and the encryption algorithm,practices such as the illicit obtainment of a device key through thecryptanalysis of the system can be hindered.

Moreover, as the device keys (DKB1 to DKBn) used in the generation ofthe second encrypted media key data, and the encryption algorithm of thesecond encrypted media key data, are not changed during theaforementioned system update, no changes need to be made for theapparatuses belonging to the second category.

According to the above-configured fifth embodiment of the presentinvention, there is no need for the first category apparatuses (thedecryption apparatus 3220) and the second category apparatuses (theread-out apparatus 3210 and the second reproduction apparatus 3300) toread the first or second encrypted media key data which are for revokingrespective apparatuses of the different categories. Therefore, thememory capacity provided within the apparatus can be made smaller andprocessing time can be reduced. Furthermore, the encryption algorithmused in generating the first encrypted media key data can be madedifferent from the encryption algorithm used in generating the secondencrypted media key data. Therefore, even in the case where therevocation system of the first category decryption apparatuses fallsinto a situation where it is exposed, the revocation system can bechanged, without affecting the second category apparatuses, by changing(a) the key length of the device keys provided to the first categorydecryption apparatuses and (b) the generation algorithm of the firstencrypted media key data. In addition, as the algorithm for decryptingthe second encrypted seed is not installed in the first categorydecryption apparatus 3220, even when any of the first categorydecryption apparatuses is cryptanalyzed and the device key and thedecryption algorithm being held is exposed, the second seed, which isdifferent for each content, cannot be decrypted. It is thereforepossible to prevent illicit acts carried out with respect to the firstcategory, from affecting the entirety of the system, and a strongercopyright protection system can be constructed. This is particularlyeffective in the case where, as in the present embodiment, (a) the firstcategory refers to a decryption apparatus implemented through softwarefor which updating and adding of decryption algorithms and keys is easybut sturdy implementation is difficult, and (b) the second categoryrefers to a reproduction apparatus or a read apparatus implementedthrough hardware which is sturdy but updating and adding of decryptionalgorithms and keys is difficult.

Moreover, although in FIG. 31, a configuration is assumed in which themedia key, the first seed, and the second seed are inputted from asource outside of the recording apparatus 3100, the present invention isnot limited to such configuration. For example, it is also possible tohave a configuration in which the recording apparatus 3100 includes astorage unit for storing the media key, the first seed, and the secondseed. Furthermore, it is also possible for to have a configuration inwhich the recording apparatus 3100 includes a generation unit whichgenerates the media key, the first seed, and the second seed asrequired.

Furthermore, although in FIG. 31, a configuration is assumed in whichthe content key is generated from the first seed and the second seed,then the content is encrypted using the content key, and then the firstseed and the second seed are encrypted using the media key, the presentinvention is not limited to such configuration. For example, it is alsopossible to have a configuration in which the stages for encryption arefurther increased through the addition of keys.

Furthermore, as shown in FIG. 31, the recording apparatus in the presentembodiment assumes an integrated configuration for the device keystorage unit, the media key encryption unit, the seed encryption unit,the content key generation unit and the content encryption unit for eachcategory, as well as the recording of respective data onto the recordingmedium. However, the present invention is not limited to such, and it ispossible to have a configuration in which the recording apparatus isseparated. For example, it is also possible to have a configuration inwhich (a) the device key storage unit, the media key encryption unit,the seed encryption unit and the content key generation unit for eachcategory (the section enclosed in broken lines in FIG. 31) are builtinto an apparatus which is provided in a facility which operates the keymanagement of the entire system and the key issuance for thereproduction apparatuses, as their management and operation requiregreat confidentiality, and (b) the content encryption unit and therecording of respective data onto the recording medium is executed by anapparatus provided in a content manufacturing facility or a recordingmedium manufacturing facility.

Furthermore, in the present embodiment, during the generation of thefirst encrypted media key data in the system updating, data is alsoassigned to the revoked decryption apparatuses at the time of systemupdating, as in Ea (DKA′2, 0) in FIG. 35 and Ea′ (DKA′2, 0) in FIG. 36.However, it is also possible to have a configuration in which data isnot assigned to a revoked recording apparatus. In that case, theposition of the encrypted media key to be used by the decryptionapparatuses which are not revoked is also updated, and by providing newposition information when a new device key is provided, the decryptionapparatuses that are not revoked can use the appropriate data and obtainthe correct media key even if there is a change in the position of theencrypted media key before and after the system update. In such a case,the volume of data that needs to be stored in the first encrypted mediakey data recording area after the system update can be reduced.Alternatively, when the maximum value for the volume is limited, thenumber of new decryption apparatuses belonging to the first category canbe increased.

Furthermore, although the present embodiment adopts a method in whichrevocation of a decryption apparatus is performed using encrypted mediakey data such as that shown in FIG. 34, a different method can be usedfor the method for revocation. For example, the revocation methodutilizing a tree-structure, disclosed in patent reference 1 can also beused.

Furthermore, although the present embodiment makes use of the DES havinga 56-bit key length as the encryption algorithm, and the two-key tripleDES having a 112-bit key length as the post-system update algorithm, thepresent invention is not limited to such, and can also use otherencryption algorithms such as AES having a 128-bit key length, forexample, which is referred to as a next-generation standard cryptograph.

Moreover, although the present embodiment is an application of thepresent invention in a system in which a content is distributed using aplayback-only recording medium, and the distributed content isreproduced using reproduction apparatuses, the present invention is notlimited to such application. The present invention can also be appliedin a system utilizing a rewritable or recordable recording medium, byassuming a configuration in which encrypted media key data and anencrypted seed for each category are generated and recorded onto arecording medium by a key generation apparatus, and the encrypted mediakey data and the encrypted seeds are decrypted, and then a content keyis generated and the content encrypted by a recording apparatus, in thesame manner as in the aforementioned second embodiment.

Seventh Embodiment

In the seventh embodiment of the present invention, the system in thesixth embodiment is provided with separate media keys for the firstcategory and the second category, and provided with stages of the firstencrypted seed respectively use such media keys.

Hereinafter, the seventh embodiment of the present invention shall bedescribed with reference to the diagrams. FIG. 37 shows a recordingapparatus 3700 which encrypts a content and records the encryptedcontent, and a recording medium 3720. FIG. 38 shows a first reproductionapparatus 3800 which reads-out and decrypts the encrypted content fromthe recording medium 3720. FIG. 39 shows a second reproduction apparatus3900 which reads-out and decrypts the encrypted content from therecording medium 3720. Furthermore, FIG. 40 shows a specific example ofvarious data to be recorded on the recording medium 3720.

The recording apparatus 3700 in FIG. 37 is different from the recordingapparatus 3100 in FIG. 31 in being separately provided with a firstmedia key for the first category and a second media key for the secondcategory, then encrypting the first and the second media key in a firstmedia key encryption unit 3705 and a second media key encryption unit3706, respectively, encrypting a first seed in a first seed encryptionunit (1) 3707 and a second seed encryption unit (2) 3711, using thefirst and the second media keys, respectively, and then recording theoutput on the recording medium 3720. As the rest of the points are thesame as in the recording apparatus 3100 in the aforementioned sixthembodiment, their description shall be omitted.

The recording medium 3720 includes the following: a first encryptedmedia key data recording area 3721 for recording first encrypted mediakey data; a second encrypted media key data recording area 3722 forrecording second encrypted media key data; a first encrypted seed (1)recording area 3723 for recording the first encrypted seed (1) generatedby the first seed encryption unit (1) 3707; a first encrypted seed (2)recording area 3726 for recording the first encrypted seed (2) generatedby the first seed encryption unit (2) 3711; a second encrypted seed datarecording area 3724 for recording the second encrypted seed; and anencrypted content recording area 3725 for recording the encryptedcontent. Moreover, the second encrypted seed data is decrypted by aread-out apparatus 3810 of the first reproduction apparatus 3800 and bythe second reproduction apparatus 3900, using the second media key.

In the first reproduction apparatus 3800, a decryption apparatus 3820obtains the first seed by decrypting the first encrypted seed (1) whichis read out from the recording medium 3720 by the read-out apparatus3810. As the rest of the points are the same as in the firstreproduction apparatus 3200 in the aforementioned sixth embodiment,their description shall be omitted.

The second reproduction apparatus 3900 obtains the first seed bydecrypting the first encrypted seed (2) which is read out from therecording medium 3720. As the rest of the points are the same as in thesecond reproduction apparatus 3300 in the aforementioned sixthembodiment, their description shall be omitted.

FIG. 40 shows a specific example of the various data to be recorded onthe recording medium 3720. A first media key (MK1) encrypted usingdevice keys (DKA1 to DKAm) held by the first category decryptionapparatuses is recorded in the first encrypted media key data recordingarea 3721. A second media key (MK2) encrypted using device keys (DKB1 toDKBm) held by the second category apparatuses is recorded in the secondencrypted media key data recording area 3722. Furthermore, a first seed(SD1) which is encrypted using the first media key (MK1) is recorded inthe first encrypted seed data (1) recording area 3723, and a first seed(SD1) encrypted using the second media key (MK2) is recorded in thefirst encrypted seed data (2) recording area 3726. As the rest of thepoints are the same as in FIG. 34 described earlier, their descriptionshall be omitted. Moreover, Ef (X, Y) in FIG. 40 refers to functions forencrypting data Y using key data X. The present embodiment uses DEScryptography having a key length of 56 bits.

In the above-configured seventh embodiment of the present invention, inthe case where, for example, a number of device keys provided to thefirst category decryption apparatuses and the algorithm for decryptingthe first encrypted media key data are illicitly exposed over theInternet, and it is judged that the revocation for the first categorydecryption apparatuses has stopped functioning, the revocation systemfor the first category decryption apparatuses is updated. Specificexamples are described hereinafter.

(System Update Specific Example 1)

FIG. 41 shows a specific example 1 for various data to be recorded on anew recording medium 3720 which is created after it is judged that therevocation for the first category decryption apparatuses has stoppedfunctioning. The difference with FIG. 40 is that the device keys DKA1 toDKAm used in generating the first encrypted media key data are changedto DKA′1 to DKA′m. As this is the same as the system update specificexample 1 described in the aforementioned first embodiment, descriptionof details shall be omitted.

(System Update Example 2)

FIG. 42 shows a specific example 2 for various data to be recorded on anew recording medium 3720 which is created after it is judged that therevocation for the first category decryption apparatuses has stoppedfunctioning. The difference with FIG. 40 is that the device keys DKA1 toDKAm used in generating the first encrypted media key data are changedto DKA′1 to DKA′m, the encryption algorithm is changed from Ea (X, Y) toEa′ (X, Y), and the encryption algorithm for the first encrypted seed(1) is changed from Ec (X, Y) to Ec′ (X, Y). As this is the same as thesystem update specific example 2 described in the aforementioned thirdembodiment, description of details shall be omitted.

According to the above-configured fifth embodiment of the presentinvention, a strong copyright protection system can be constructed, inthe same manner as in the sixth embodiment. In addition, by havingseparate media keys for the first category and the second category, andproviding stages of the encrypted seeds which respectively use suchmedia keys, in the present embodiment, the independence betweencategories can be increased. More specifically, even in the case where adevice key is exposed from an apparatus belonging to the first category,the media key that can be obtained using such device key is limited tothe first media key only, and thus it is possible to prevent the secondmedia key from being exposed. This is particularly effective in the casewhere, as in the present embodiment, (a) the first category refers to adecryption apparatus implemented through software for which updating andadding of decryption algorithms and keys is easy but sturdyimplementation is difficult, and (b) the second category refers to areproduction apparatus or a read apparatus implemented through hardwarewhich is sturdy but updating and adding of decryption algorithms andkeys is difficult.

Moreover, although in FIG. 37, a configuration is assumed in which thefirst media key, the second media key, the first seed, and the secondseed are inputted from a source outside of the recording apparatus 3700,the present invention is not limited to such configuration. For example,it is also possible to have a configuration in which the recordingapparatus 3700 includes a storage unit for storing them. Furthermore, itis also possible for to have a configuration in which the recordingapparatus 3700 includes a generation unit which generates them asrequired.

Furthermore, although in FIG. 37, a configuration is assumed in whichthe content key is generated from the first seed and the second seed,and then the content is encrypted using the content key, and then thefirst and the second seeds are encrypted using the media keys, thepresent invention is not limited to such configuration. For example, itis also possible to have a configuration in which the stages forencryption are further increased through the addition of keys.

Furthermore, as shown in FIG. 37, the recording apparatus in the presentembodiment assumes an integrated configuration for the device keystorage unit, the media key encryption unit and the seed encryption unitfor each category, as well as the content key generation unit, thecontent encryption unit and the recording of respective data onto therecording medium. However, the present invention is not limited to such,and it is possible to have a configuration in which the recordingapparatus is separated. For example, it is also possible to have aconfiguration in which (a) the device key storage unit, the media keyencryption unit and the seed encryption units for each category, as wellas the content key generation unit (the section enclosed in broken linesin FIG. 37) are built into an apparatus which is provided in a facilitywhich operates the key management of the entire system and the keyissuance for the reproduction apparatuses, as their management andoperation require great confidentiality, and (b) the content encryptionunit and the recording of respective data onto the recording medium isexecuted by an apparatus provided in a content manufacturing facility ora recording medium manufacturing facility.

Furthermore, in the present embodiment, during the generation of thefirst encrypted media key data in the system updating, data is alsoassigned to the revoked decryption apparatuses at the time of systemupdating, as in Ea (DKA′2, 0) in FIG. 41 and Ea′ (DKA′2, 0) in FIG. 42.However, it is also possible to have a configuration in which data isnot assigned to a revoked decryption apparatus. In that case, theposition of the encrypted media key to be used by the decryptionapparatuses which are not revoked is also updated, and by providing newposition information when a new device key is provided, the decryptionapparatuses that are not revoked can use the appropriate data and obtainthe correct media key even if there is a change in the position of theencrypted media key before and after the system update. In such a case,the volume of data that needs to be stored in the first encrypted mediakey data recording area after the system update can be reduced.Alternatively, when the maximum value for the volume is limited, itbecomes possible to increase the number of new decryption apparatusesbelonging to the first category.

Furthermore, although the present embodiment adopts a method in whichrevocation of a decryption apparatus is performed using encrypted mediakey data such as that shown in FIG. 40, a different method can be usedfor the method for revocation. For example, the revocation methodutilizing a tree-structure, disclosed in patent reference 1 can also beused.

Furthermore, although the present embodiment makes use of the DES havinga 56-bit key length as the encryption algorithm, and the two-key tripleDES having a 112-bit key length as the post-system update algorithm, thepresent invention is not limited to such, and can also use otherencryption algorithms such as AES having a 128-bit key length, forexample, which is referred to as a next-generation standard cryptograph.

Moreover, although the present embodiment is an application of thepresent invention in a system in which a content is distributed using aplayback-only recording medium, and the distributed content isreproduced using reproduction apparatuses, the present invention is notlimited to such application. The present invention can also be appliedin a system utilizing a rewritable or recordable recording medium, byassuming a configuration in which encrypted media key data and anencrypted seed for each category are generated and recorded on arecording medium by a key generation apparatus, and the encrypted mediakey data and the encrypted seeds are decrypted, and then a content keyis generated and the content is encrypted by a recording apparatus, inthe same manner as in the aforementioned second embodiment.

According to the present invention, there is no need for a firstcategory apparatus and a second category apparatus to read the first orsecond encrypted media key data which are for revoking respectiveapparatuses of the different categories. Therefore, the memory capacityprovided within the apparatus can be made smaller and processing timecan be reduced.

Furthermore, the encryption algorithm used in generating the firstencrypted media key data can be made different from the encryptionalgorithm used in generating the second encrypted media key data.Therefore, even in the case where the revocation system of the firstcategory reproduction apparatuses falls into a situation where it isexposed, the revocation system can be changed, without affecting thesecond category reproduction apparatuses, by changing (a) the key lengthof the device keys provided to a first category reproduction apparatusesand (b) the generation algorithm of the first encrypted media key data.

INDUSTRIAL APPLICABILITY

The copyright protection system according to the present invention hasthe effect of (a) being able to reduce the size of the memory providedwithin an apparatus, and (b) being able, even in the case whereapparatuses of a certain category are illicitly cryptanalyzed andalgorithms and a number of keys are exposed, to maintain the revocationfunction for the entirety of the system, without having to make anychanges to the apparatuses of other categories, by changing theencryption/decryption algorithm and the length of the keys for suchcategory. The copyright protection system according to the presentinvention is useful in the case where, in a system in which a contentwhich is a digitalized literary work is recorded onto or reproduced froma large-capacity recording medium such as an optical disc, there exist(a) a recording apparatus or reproduction apparatus implemented throughsoftware, for which updating and adding of decryption algorithms andkeys is easy but sturdy implementation is difficult, and (b) a recordingapparatus or reproduction apparatus implemented through hardware whichis sturdy but updating and adding of decryption algorithms and keys isdifficult.

1. A copyright protection system comprising: a recording apparatus operable to encrypt a content and to record the encrypted content; a recording medium on which the encrypted content is recorded; and reproduction apparatuses, each of which is operable to read out and decrypt the encrypted content recorded on said recording medium, wherein said reproduction apparatuses are classified into N-categories, N being a natural number greater than one, said recording apparatus is operable (a) to generate, for the respective N-categories and based on a media key and device key data, revocation data intended for revoking a device key, (b) to generate the encrypted content which is the content encrypted based on the media key, and (c) to record at least the N-pieces of revocation data and the encrypted content onto said recording medium, the device key data being held by said reproduction apparatuses of the respective N-categories, and the device key being held by a specific reproduction apparatus of the respective categories, and said reproduction apparatuses are each operable (a) to read out, from said recording medium, revocation data, among the N-pieces of revocation data, which is for the category to which said reproduction apparatus belongs, and the encrypted content, and (b) to decrypt the encrypted content based on the read-out revocation data.
 2. The copyright protection system according to claim 1, wherein each of the N-pieces of revocation data is encrypted media key data which is the media key encrypted using the device key data held by said reproduction apparatuses of a corresponding category, and said reproduction apparatuses of the respective categories are each operable (a) to read out, from said recording medium, the corresponding encrypted media key data and the encrypted content, (b) to obtain the media key by decrypting the encrypted media key data using the held device key, and (c) to decrypt the encrypted content based on the obtained media key.
 3. The copyright protection system according to claim 2, wherein said recording apparatus is operable to generate an encryption key based on the media key, and to encrypt the content based on the encryption key, and said reproduction apparatuses of the respective categories are each operable to generate a decryption key based on the obtained media key, and to decrypt the encrypted content based on the generated decryption key.
 4. The copyright protection system according to claim 2, wherein said recording apparatus is operable to encrypt the content using a content key, to generate an encrypted content key by encrypting the content key using the media key, and to record the generated encrypted content key onto said recording medium, and said reproduction apparatuses of the respective categories are each operable to read out the encrypted content key from said recording medium, to obtain the content key by decrypting the encrypted content key using the media key, and to decrypt the encrypted content using the obtained content key.
 5. The copyright protection system according to claim 1, wherein each of the N-pieces of revocation data is encrypted media key data which is a media key for a corresponding category, encrypted using the device key data held by said reproduction apparatuses of the corresponding category, said recording apparatus is operable to encrypt the content using a content key, to generate N-pieces of encrypted content keys by encrypting the content key using N-pieces of media keys, and to record, onto said recording medium, at least the N-pieces of encrypted media key data, the N-pieces of encrypted content keys, and the encrypted content, and said reproduction apparatuses of the respective categories are each operable (a) to read out, from said recording medium, the encrypted media key data for the corresponding category, the encrypted content key for the corresponding category, and the encrypted content, (b) to obtain the media key for the corresponding category by decrypting the encrypted media key data using the held device key, (c) to obtain the content key by decrypting the encrypted content key for the corresponding category using the obtained media key for the corresponding category, and (d) to decrypt the encrypted content using the obtained content key.
 6. The copyright protection system according to claim 1, wherein said recording apparatuses are made up of: second reproduction apparatuses belonging to a second category, each of which is operable to read out and decrypt the encrypted content recorded on the recording medium; and first reproduction apparatuses, each of which includes: a read-out apparatus of the second category operable to read out and perform a part of a decryption process on the encrypted content recorded on the recording medium; and a decryption apparatus of a first category, connected to said read-out apparatus of the second category, operable to perform a part of the decryption process on the encrypted content, wherein said recording apparatus is operable (a) to generate, based on a media key and on device key data held by said decryption apparatuses of the first category, first revocation data intended for revoking a device key held by a specific decryption apparatus of the first category, (b) to generate, based on a media key and on device key data held by said apparatuses of the second category, second revocation data intended for revoking a device key held by a specific apparatus of the second category, (c) to generate an encrypted content which is the content encrypted based on the media key, and (d) to record at least the first revocation data, the second revocation data, and the encrypted content onto said recording medium, said second reproduction apparatuses are each operable to read out the second revocation data and the encrypted content from said recording medium, and to decrypt the encrypted content based on the second revocation data, and in each of said first reproduction apparatuses: said read-out apparatus of the second category is operable (a) to read out, from said recording medium, the first revocation data, the second revocation data, and the encrypted content, and (to) supply intermediate data and the first revocation data to said decryption apparatus of the first category; and said decryption apparatus of the first category is operable to obtain the content by performing the decryption process, based on the first revocation data, on the intermediate data supplied by said read-out apparatus of the second category, the intermediate data being the encrypted data on which the part of the decryption process has been performed based on the second revocation data.
 7. A recording apparatus which encrypts a content and records the encrypted content, wherein said recording apparatus is operable (a) to generate, for respective N-categories and based on a media key and device key data, revocation data intended for revoking a device key, (b) to generate an encrypted content which is the content encrypted based on the media key, and (c) to record at least the N-pieces of revocation data and the encrypted content onto a recording medium, the device key data being held by reproduction apparatuses classified into N-categories and belonging to the respective categories, the device key being held by a specific reproduction apparatus of the respective categories, and N being a natural number greater than one.
 8. The recording apparatus according to claim 7, wherein each of the N-pieces of revocation data is encrypted media key data which is the media key encrypted using the device key data held by the reproduction apparatuses of a corresponding category.
 9. The recording apparatus according to claim 8, wherein said recording apparatus generates an encryption key based on the media key, and to encrypt the content based on the encryption key.
 10. The recording apparatus according to claim 8, wherein said recording apparatus encrypts the content using a content key, generates an encrypted content key which is the content key encrypted using the media key, and records the generated encrypted key onto the recording medium.
 11. The recording apparatus according to claim 7, wherein each of the N-pieces of revocation data is encrypted media key data which is a media key for a corresponding category, encrypted using the device key data held by the reproduction apparatuses of the corresponding category, and said recording apparatus is operable (a) to encrypt the content using a content key, (b) to generate N-pieces of encrypted content keys by encrypting the content key using N-pieces of media keys, and (c) to record, onto the recording medium, at least the N-pieces of encrypted media key data, the N-pieces of encrypted content keys, and the encrypted content.
 12. The recording apparatus according to claim 7, wherein said recording apparatus (a) generates, based on a media key and on device key data held by decryption apparatuses of the first category, first revocation data intended for revoking a device key held by a specific decryption apparatus of the first category, (b) generates, based on a media key and on device key data held by apparatuses of the second category, second revocation data intended for revoking a device key held by a specific apparatus of the second category, and (c) generates an encrypted content which is the content encrypted based on the media key, and to record at least the first revocation data, the second revocation data, and the encrypted content onto the recording medium.
 13. A recording medium on which a content is recorded, wherein on said recording medium, at least revocation data and an encrypted content are recorded, the revocation data being generated based on a media key and device key data and intended for revoking a device key, the device key data being held by reproduction apparatuses classified into N-categories and belonging to the respective categories, the device key being held by a specific reproduction apparatus of the respective categories, the encrypted content being generated by encrypting the content based on the media key, and N being a natural number greater than one.
 14. The recording medium according to claim 13, wherein each of the N-pieces of revocation data is encrypted media key data which is the media key encrypted using the device key data held by said reproduction apparatuses of a corresponding category.
 15. The recording medium according to claim 14, wherein the encrypted content is generated by encrypting the content, based on an encryption key generated based on the media key.
 16. The recording medium according to claim 14, wherein the encrypted content is generated by encrypting the content using a content key, and on said recording medium, an encrypted content key is recorded, the encrypted content key being generated by encrypting the content key using the media key.
 17. The recording medium according to claim 13, wherein each of the N-pieces of revocation data is encrypted media key data which is a media key for a corresponding category, encrypted using the device key data held by the reproduction apparatuses of the corresponding category, the encrypted content is generated by encrypting the content using a content key, and on said recording medium, N-pieces of encrypted content keys generated by encrypting the content key using the N-pieces of media keys are recorded.
 18. The recording medium according to claim 13, wherein on said recording medium, at least first revocation data, second revocation data, and the encrypted content are recorded, the first revocation data being generated based on the media key and on device key data held by decryption apparatuses of a first category and intended for revoking a device key held by a specific decryption apparatus of the first category, the second revocation data being generated based on the media key and on device key data held by apparatuses of a second category and intended for revoking a device key held by a specific apparatus of the second category, and the encrypted content being the content on which an encryption process has been performed based on the media key.
 19. A reproduction apparatus which reproduces an encrypted content recorded on a recording medium, wherein said reproduction apparatuses are classified into N-categories, N being a natural number greater than one, on the recording medium, at least revocation data and an encrypted content are recorded, the revocation data being generated based on a media key and device key data and intended for revoking a device key, the device key data being held by said reproduction apparatuses of the respective N-categories, the device key being held by a specific reproduction apparatus of the respective categories, and the encrypted content being generated by encrypting the content based on the media key, and said reproduction apparatus is operable (a) to read out, from the recording medium, revocation data, among the N-pieces of revocation data, which is for the category to which said reproduction apparatus belongs, and the encrypted content, and (b) to decrypt the encrypted content based on the read-out revocation data.
 20. The reproduction apparatus according to claim 19, wherein each of the N-pieces of revocation data is encrypted media key data which is the media key encrypted using the device key data held by said reproduction apparatuses of a corresponding category, and said reproduction apparatuses are operable (a) to read out, from the recording medium, the corresponding encrypted media key data and the encrypted content, (b) to obtain the media key by decrypting the encrypted media key data using the held device key, and (c) to decrypt the encrypted content based on the obtained media key.
 21. The reproduction apparatus according to claim 20, wherein the encrypted content is generated by encrypting the content, based on an encryption key generated based on the media key, and said reproduction apparatus is operable to generate a decryption key based on the obtained media key, and to decrypt the encrypted content based on the generated decryption key.
 22. The reproduction apparatus according to claim 20, wherein the encrypted content is generated by encrypting the content using a content key, on the recording medium, an encrypted content key generated by encrypting the content key using the media key is recorded, and said reproduction apparatus is operable (a) to read out the encrypted content key from the recording medium, (b) to obtain the content key by decrypting the encrypted content key using the media key, and (c) to decrypt the encrypted content using the obtained content key.
 23. The reproduction apparatus according to claim 19, wherein each of the N-pieces of revocation data is encrypted media key data which is a media key for a corresponding category, encrypted using the device key data held by the reproduction apparatuses of the corresponding category, the encrypted content is generated by encrypting the content using a content key, on the recording medium, N-pieces of encrypted content keys generated by encrypting the content key using the N-pieces of media keys are recorded, and said reproduction apparatus is operable (a) to read out, from the recording medium, the encrypted media key data for the corresponding category, the encrypted content key for the corresponding category, and the encrypted content, (b) to obtain the media key for the corresponding category by decrypting the encrypted media key data using the held device key, (c) to obtain the content key by decrypting the encrypted content key using the obtained media key for the corresponding category, and (d) to decrypt the encrypted content using the obtained content key.
 24. The reproduction apparatus according to claim 19, wherein on the recording medium, at least first revocation data, second revocation data, and the encrypted content are recorded, the first revocation data being generated based on the media key and on device key data held by decryption apparatuses of a first category and intended for revoking a device key held by a specific decryption apparatus of the first category, the second revocation data being generated based on the media key and on device key data held by apparatuses of a second category and intended for revoking a device key held by a specific apparatus of the second category, and the encrypted content being the content on which an encryption process has been performed based on the media key, and said reproduction apparatus belongs to the second category and is operable to read out, from the recording medium, the second revocation data and the encrypted content, and to decrypt the encrypted content based on the second revocation data.
 25. A read-out apparatus included in a reproduction apparatus which reproduces an encrypted content recorded on a recording medium, wherein on the recording medium, at least first revocation data, second revocation data, and the encrypted content are recorded, the first revocation data being generated based on a media key and on device key data held by decryption apparatuses of a first category and intended for revoking a device key held by a specific decryption apparatus of the first category, the second revocation data being generated based on the media key and on device key data held by apparatuses of a second category and intended for revoking a device key held by a specific apparatus of the second category, and the encrypted content being the content on which an encryption process has been performed based on the media key, and said read-out apparatus belongs to the second category and is operable (a) to read out, from the recording medium, the first revocation data, the second revocation data, and the encrypted content, (b) to generate intermediate data which is the encrypted data on which a part of a decryption process has been performed, based on the second revocation data, and (c) to output the generated intermediate data and the first revocation data.
 26. A decryption apparatus included in a reproduction apparatus which reproduces an encrypted content recorded on a recording medium, wherein on the recording medium, at least first revocation data, second revocation data, and the encrypted content are recorded, the first revocation data being generated based on a media key and on device key data held by decryption apparatuses of a first category and intended for revoking a device key held by a specific decryption apparatus of the first category, the second revocation data being generated based on the media key and on device key data held by apparatuses of a second category and intended for revoking a device key held by a specific apparatus of the second category, and the encrypted content being the content on which an encryption process has been performed based on the media key, read-out apparatuses of the second category are each operable (a) to read out, from the recording medium, the first revocation data, the second revocation data, and the encrypted content, (b) to generate intermediate data which is the encrypted data on which a part of a decryption process has been performed, based on the second revocation data, and (c) to output the generated intermediate data and the first revocation data, and said decryption apparatus belongs to the first category and is operable to obtain the content by performing a decryption process, based on the first revocation data, on the intermediate data supplied by said read-out apparatus of the second category.
 27. A reproduction apparatus which reproduces an encrypted content recorded on a recording medium, said reproduction apparatus comprising: said read-out apparatus according to claim 25; and a decryption apparatus which reproduces an encrypted content recorded on a recording medium, wherein on the recording medium, at least first revocation data, second revocation data, and the encrypted content are recorded, the first revocation data being generated based on a media key and on device key data held by decryption apparatuses of a first category and intended for revoking a device key held by a specific decryption apparatus of the first category, the second revocation data being generated based on the media key and on device key data held by apparatuses of a second category and intended for revoking a device key held by a specific apparatus of the second category, and the encrypted content being the content on which an encryption process has been performed based on the media key, read-out apparatuses of the second category are each operable (a) to read out, from the recording medium, the first revocation data, the second revocation data, and the encrypted content, (b) to generate intermediate data which is the encrypted data on which a part of a decryption process has been performed, based on the second revocation data, and (c) to output the generated intermediate data and the first revocation data, and said decryption apparatus belongs to the first category and is operable to obtain the content by performing a decryption process, based on the first revocation data, on the intermediate data supplied by said read-out apparatus of the second category.
 28. A copyright protection system comprising: a key generation apparatus operable to generate and record revocation data necessary for encrypting and decrypting a content, recording apparatuses, each of which is operable to encrypt a content and to record the encrypted content; a recording medium on which the encrypted content and the revocation data are recorded; and reproduction apparatuses, each of which is operable to read out and decrypt the encrypted content recorded on said recording medium, wherein said recording apparatuses and said reproduction apparatuses are classified into N-categories, N being a natural number greater than one, said key generation apparatus is operable (a) to generate, for the respective N-categories and based on a media key and device key data, revocation data intended for revoking a device key, and (b) to record the N-pieces of revocation data onto said recording medium, the device key data being held by one of said recording apparatuses and said reproduction apparatuses belonging to the respective N-categories, the device key being held by one of a specific recording apparatus and a specific reproduction apparatus of the respective categories, said recording apparatuses are each operable (a) to read out, from said recording medium, revocation data among the N-pieces of revocation data, which is for the category to which said recording apparatus belongs, (b) to generate the encrypted content by encrypting the content based on the read-out revocation data, and (c) to record the generated encrypted content on said recording medium, and said reproduction apparatuses are each operable (a) to read out, from said recording medium, revocation data among the N-pieces of revocation data, which is for the category to which said reproduction apparatus belongs, and the encrypted content, and (b) to decrypt the encrypted content based on the read-out revocation data.
 29. A key generation apparatus which generates, for respective N-categories and based on a media key and device key data, revocation data intended for revoking a device key, and which records the generated N-pieces of revocation data onto a recording medium, the device key data being held by one of the recording apparatuses and the reproduction apparatuses classified into N-categories and belonging to the respective categories, the device key being held by one of a specific recording apparatus and a specific reproduction apparatus of the respective categories, and N being a natural number greater than one.
 30. A recording apparatus which encrypts a content and records the encrypted content, wherein said recording apparatus is operable (a) to read out, from a recording medium on which N-pieces of revocation data are recorded, revocation data for a category to which said recording apparatus belongs, (b) to generate an encrypted content by encrypting the content based on the read-out revocation data, and (c) to record the generated encrypted content onto the recording medium, the revocation data being generated based on a media key and device key data and intended for revoking a device key, the device key data being held by one of recording apparatuses and reproduction apparatuses which are classified into N-categories and belonging to the respective categories, the device key being held by one of a specific recording apparatus and a specific reproduction apparatus of the respective categories, and N being a natural number greater than one.
 31. A recording method for use in a recording apparatus which encrypts a content and records the encrypted content, said method comprising: a step of generating, for respective N-categories and based on a media key and device key data, revocation data intended for revoking a device key, the device key data being held by the reproduction apparatuses classified into the N-categories and belonging to the respective N-categories, the device key being held by a specific reproduction apparatus of the respective categories, and N being a natural number greater than one; an encrypted content generation step of generating the encrypted content by encrypting the content, based on the media key; and a recording step of recording at least the N-pieces of revocation data and the encrypted content onto the recording medium.
 32. A reproduction method for use in a reproduction apparatus which reproduces an encrypted content recorded on a recording medium, wherein the reproduction apparatuses are classified into N-categories, N being a natural number greater than one, on the recording medium, at least revocation data and the encrypted content are recorded, the revocation data being generated based on a media key and device key data and intended for revoking a device key, the device key data being held by the reproduction apparatuses of the respective N-categories, the device key being held by a specific reproduction apparatus of the respective categories, and the encrypted content being generated by encrypting the content based on the media key, and said reproduction method comprises: a read-out step of reading out, from the recording medium: revocation data among the N-pieces of revocation data, for the category to which the reproduction apparatus belongs; and the encrypted content; and a decryption step of decrypting the encrypted content based on the revocation data read out in said read-out step.
 33. A program for use in a recording apparatus which encrypts a content and records the encrypted content, said program comprising: a step of generating, for respective N-categories and based on a media key and device key data, revocation data intended for revoking a device key, the device key data being held by reproduction apparatuses classified into the N-categories and belonging to the respective N-categories, the device key being held by a specific reproduction apparatus of the respective categories, and N being a natural number greater than one; an encrypted content generation step of generating the encrypted content by encrypting the content, based on the media key; a recording step of recording at least the N-pieces of revocation data and the encrypted content onto the recording medium.
 34. A program for use in a reproduction apparatus which reproduces an encrypted content recorded on a recording medium, wherein the recording apparatuses are classified into N-categories, N being a natural number greater than one, on the recording medium, at least revocation data and the encrypted content are recorded, the revocation data being generated based on a media key and device key data and intended for revoking a device key, the device key data being held by the reproduction apparatuses of the respective N-categories, the device key being held by a specific reproduction apparatus of the respective categories, and the encrypted content being generated by encrypting the content based on the media key, and said program comprises: a read-out step of reading out, from the recording medium: revocation data among the N-pieces of revocation data, for the category to which the reproduction apparatus belongs; and the encrypted content; and a decryption step of decrypting the encrypted content based on the revocation data read out in said read-out step. 